COVID-19 Should Prompt Enterprises to Move Quickly to Zero Trust 

COVID-19 makes organizations confront the reality that their network boundaries no longer end with their own infrastructure but now extend to employees’ homes. Underscoring this is the Office of Management and Budget’s request that federal agencies “offer maximum telework flexibilities to all current telework eligible employees, consistent with operational needs of the departments and agencies.” To maintain continuity of operations, government organizations must move toward a new network security paradigm that distrusts all devices and users and denies them access to network resources until they have demonstrated the requisite level of security and authorization. That strategic initiative is called “zero trust.” 

Zero trust models, according to the National Institute of Standards and Technology, “assume that an attacker is present on the network and that an enterprise-owned network infrastructure is no different – or no more trustworthy – than any non-enterprise owned network.”

In 2019, the Department of Labor’s Bureau of Labor Statistics estimated that in 2017-2018, approximately one-third of wage and salary workers were able to and do work from home. In light of the recent COVID-19 pandemic, however, the number of those teleworking far exceeds this estimation and is growing daily according to news reports. Contrast this higher demand with another 2019 study showing close to 50% of remote employees admit to using applications or software not approved by their companies and it is easy to see how the effects of a crisis like COVID-19 extend across agencies. To better protect federal and contractor resources and information as traditional location or perimeter-based defenses become less effective, enterprises should consider security principles like zero trust that assume complexity and anticipate diversity. Security strategies built upon zero trust principles consider factors such as varying types of employees that are working (e.g. full-time employees, contractors), the devices that are utilizing the network (e.g. laptop, mobile, internet of things), and the methods by which access requests to information resources are made. 

At the heart of zero trust is the goal of “preventing unauthorized access to data and services coupled with making the access control enforcement as granular as possible.” In order to achieve this vision, several technical elements are necessary, and it is important to note that a single commercial tool or technology will not be able to deliver all capabilities. Per NIST, the logical elements of zero trust include: policy engine, policy administrator, and policy enforcement point. Several data sources are necessary to provide input to these policy-based mechanisms which will feed the trust algorithm that ultimately determines whether to grant (or deny) access to information resources based on the level of evaluated trust of the endpoint/user combination. NIST categorizes the types of input as: access request; user identification, attributes and privileges; asset database and observable status; resource access requirements; and threat intelligence.

The integrity of the data yielded in answer to these questions lies at the heart of a successful zero trust architecture and forms the evaluated trust that is used to grant (or deny) the access request. To that end, a dynamic and accurate accounting of users, connected devices, their attributes and hygiene, and configurations are foundational to zero trust architecture. While implementing zero trust architecture during this period of coronavirus-caused disruption is unlikely, agency leaders can take some steps to build some of the foundational capabilities necessary to implement zero trust. A good way to begin is by asking how your organization determines: 

• What is connected? What devices, applications, and services are used by the organization? This includes observing and improving the security posture of these artifacts as vulnerabilities and threats are discovered.
• Who is using the network? What users are part of the organization or are external and allowed to access enterprise resources?
• What is happening on the network? Agencies need insight into traffic patterns and messages between systems. 
• How is data protected? Federal and contractor teams must enforce policies on how information is protected at rest, in transit, and in use.

To answer these questions, organizations must have the capability to continuously detect, profile, determine required authorization, evaluate the security posture of, and enforce policy-based controls on all connecting devices. They must be able to do this for traditional information technology devices as well as non-traditional operational technology devices, including building automation systems, industrial controllers and other mission-supporting devices. Further, organizations should be able to monitor and analyze communication patterns between specific departments, devices or groups of devices, offering a comprehensive understanding of device behavior, and the ability to enforce policies across all network environments (campus, cloud systems, data centers, and VPN/remote networks). 

Initiatives like the Continuous Diagnostics and Mitigation and Comply-to-Connect programs for civilian and defense agencies, respectively, are good examples of zero trust-based strategies beginning with the above, four fundamental questions. 

Employees are increasingly enabled to work from home by a variety of software applications and increased network functionality. But accessing corporate resources from home, even with the best planning, can introduce risk. COVID-19 will not be the last thing to disrupt normal federal operations, but greater reliance on zero trust principles in cybersecurity will help agencies fulfill missions, enhance preparedness for future physical and IT contingencies and yield greater metrics for continually adapting defenses over time.

Ellen Sundra is vice president of Global Systems Engineering at Forescout Technologies.