Zero Trust or Bust

Recently issued Executive Order 14028 serves as a call to action for the federal government, in partnership with private industry, to make “bold changes and significant investments” to strengthen the cybersecurity posture of the nation.

Among its objectives, the executive order mandates accelerated adoption of multi-factor authentication, encryption of data, and pursuit of zero-trust architectures by federal civilian executive branch agencies. As the requirements of order 14028 are executed over the next year and beyond, one primary consideration should drive implementation: who gets to see what content? 

Encryption alone is not a data-centric security approach. However, sound security policies can be enforced through encryption, even at the data level, through use of a consistent and diligently applied approach to access control built on a zero-trust model. 

Elements of Zero Trust 

Zero trust is predicated on the fact that, within the context of an information system, trust is never assumed or inherited, and, per NIST SP 800-207, it “involves minimizing access to resources (such as data, compute resources, and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.” With this foundational approach in mind, below are the six core elements of a data-centric zero-trust architecture:

• Identity. This applies to individuals, devices, software, APIs and any other entity accessing sensitive information. The means of managing identity must be thoroughly examined by use case and should align with existing federal policies and guidelines. Further, a continuously monitored lifecycle approach to identity and credential management, as reinforced by a requirement for multi-factor authentication, is a proven method across security models to reduce risk of exploit, and it is foundational to zero trust.
• Access control policy enforcement. A critical element of data protection is ensuring that access is granted only to those who have a true business or mission need to view it. As employees’ work scopes and projects change, and as people offboard from the organization, access rights should be quickly adjusted. As a best practice, access policies should be reviewed and updated on a regular basis to ensure alignment with business and security priorities.
• Preferred encryption method by business process/workflow. Organizations generate, consume and disseminate different types of sensitive data in a variety of ways. Agencies can enhance resiliency and adaptability of their tech stacks by selecting technologies with a high degree of crypto-agility—meaning that cryptographic primitives and algorithms can be easily swapped without significant (often costly) changes to infrastructure.
• Infrastructure for data operations. In a zero-trust model, data access decisions occur agnostic to where data are processed. This offers agencies the flexibility to manage data across disparate infrastructure using approaches like container orchestration, which can yield organizational process efficiencies through more rapid, repeatable and scalable deployments. To ensure the highest degree of data integrity, encrypted data should be stored and managed separately from the associated encryption keys.
• Entitlement system. Carefully managed and consistently updated methodologies and administrative controls must be in place to ensure access privileges are current and accurate. Failure to do so opens up vulnerabilities and greater risk of insider threats.
• Data tagging approach. Beyond traditional classification paradigms, agencies should develop a framework and accompanying enterprise data tag dictionary for everything from classified content to controlled unclassified information. This framework should be leveraged to serve the dual purpose of enhancing security and optimally leveraging data as a strategic asset. Additionally, the framework should be designed in a way that allows for growth and flexibility, as contexts vary across missions and business units. 

Phases of Implementation 

Enterprise-level zero-trust implementation plans, as called for in the executive order, should address the above elements by first setting a zero-trust vision that identifies a target end state, including a best-fit approach per element that reinforces organization-specific mission objectives. Once a vision is established, agencies can begin to set an execution strategy, which could include policy updates, governance body spin-up or change in operations, hiring, end-user and system administrator training, procurement or reallocation of resources, to name a few. Finally, beyond regular reporting requirements, agencies might offer a briefing of their experiences to their relevant governance bodies or to one of the several federal interagency coordinating bodies, for example, the Federal CIO Council, relevant interagency policy committees or other communities of practice. Agencies could also help others learn about effective security technologies by partnering with the National Cybersecurity FFRDC through the Work for Others Program, managed by the NIST National Cybersecurity Center of Excellence.

A Layered Approach to Security

The recent cyberattacks on SolarWinds systems and their customers, as well as on Colonial Pipeline, demonstrate the importance of a layered approach to data security. Implementing a zero-trust model based on strong identity management, object-level encryption to enforce access control policy, and distinct infrastructure for key management can enable the immediate revocation of data access, regular and rapid rotation of encryption keys, and mitigation of data loss to “stop the bleeding” quickly in the case of attempted breach.

Will Ackerly is the chief technology officer and co-founder of Virtru. He previously spent eight years at the National Security Agency and is the inventor of the Trusted Data Format.