Can government get to zero trust?

At the conceptual level, zero trust security seems simple: Don't grant access just because a user is in the system. Assume compromise, and authenticate every action.

In practice, though, zero trust can be maddeningly complicated. It also can run counter to existing architectures, work practices and even federal security requirements. Yet today's perimeterless networks and highly mobile workforces clearly need the protections zero trust can provide, so what's an agency to do?

FCW recently gathered a group of security specialists from across government to discuss what's needed to move zero trust into the mainstream. The discussion was on the record but not for individual attribution (see Page 42 for the list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

Zero trust, but many definitions

The zero trust security concept was introduced by John Kindervag, now at Palo Alto Networks, in 2010. Yet it was slow to catch on, several participants said, because zero trust seemed to equal zero access. "If you are trying to close every door, it's almost impossible to do that," one official said. "And zero trust was a little bit monolithic in the initial conception."

Implementations over the intervening decade (perhaps most notably by Google) have proven zero trust's potential, but the monolith has been replaced by a muddle of competing services and marketing campaigns.

"It's still very, very squishy," one participant said. "That's the danger of overloaded buzz phrases. It's kind of the new AI/machine learning."

For the roundtable participants, the core concept boiled down to, as one speaker put it, "dissolving as much as possible this notion of the strong network perimeter." All agreed that this meant focusing on both users and data, though views varied on the exact mix.

"You protect what you think is important," one said. "Five or 10 years ago, people felt like the network was the most important thing. Now you look at the data and the application entry and the protection of confidentiality as primary objectives." That doesn't mean relaxing network access restrictions, "but it certainly changes the dynamics."

Participants also suggested various labels to better describe the approach. "'Zero trust' was a misnomer to begin with," one said, "because if you don't trust anyone, nobody will get anything done." A more accurate term would be "context-based trust."

"Variable trust" may be a better term, another said, "in that I trust the devices that I issued and I'm aware of more fully than I trust devices that are strangers to me — and the same thing with location-based entry points."

Others emphasized the idea of trust decay as an essential ingredient for real-world implementation. "You've established a trust score — fantastic," one said. "But how long does that trust score stay persistent?" Much like a VPN might disconnect a user after some period of inactivity, a trust score could depend on the time since a "normal" network action was observed, and users must maintain "a certain score in order to access this data due to its criticality."

There are some well-established reference points, several speakers noted. They recommended ACT-IAC's 2019 white paper on the topic and the National Institute of Standards and Technology's second draft of Special Publication 800-207 on zero trust architecture, which was released in February. "That's always kind of been my starting point for anything that feels a little buzzwordy," one speaker said. "I see if I can map it back to a canonical NIST source document."

One participant suggested that zero trust also reflects the changing role of IT organizations in government. As IT increasingly works with the business owners on mission objectives instead of simply supporting systems, the official said, "you're going to see an evolution from infrastructure focus to product focus or, in some cases, the application focus. I think that zero trust layers into that."

The first challenge: Knowing what's normal

"The new normal" has become an overused term since COVID-19 upended workplaces, but several participants said the surge in telework was indeed changing security conversations. "I think it's been a catalyst for people to think about how that strong network perimeter isn't what they thought it was," one said.

New or old, however, establishing what's normal in a network is essential to a zero trust approach. Location data has changed dramatically in recent months, but multiple officials said defining a baseline is difficult even without maximum telework.

"What is normal will change over time," one said. "Certain changes, while deemed anomalous, could be quite normal in a network. And so this whole idea of understanding patterns and normalcy and looking for anomalies becomes an extremely challenging problem."

Thanks to the Continuous Diagnostics and Mitigation Program, the 2015 governmentwide "cyber sprint" and recent efforts by the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies now have much better data on their users, devices and network traffic than was the case just a few years ago. But understanding that data and using it to create a baseline are other matters entirely.

"People forget it's not always a user accessing the data system," one official said. "The systems also are sharing data all the time." Another pointed to the surge in robotic process automation initiatives and said AI-powered automation can conclude: "'Hey, this data and this data really work well together.' So we now have automation creating these streams in the background, which complicates things a little bit further."

Similarly, another added, "we always talk about access and the data as if data is always sitting still. What are we doing to protect it when it is in motion? That needs to be addressed, too. I don't hear a lot of that when I hear people talk about zero trust."

"Some system owners don't really know how their data flows," another participant said. "It's going to make your life much more difficult if you cannot baseline that normal."

Artificial intelligence and analytics will be essential to making sense of all that data, the group agreed. The complexity is effectively forcing CIOs to become data analysts, one official said, because "you're going to have to use analytics in order to help manage your networks."

Is federated trust feasible?

Such efforts are difficult enough for a single in-house system, but some participants expressed concern that the increasing reliance on shared services and cross-agency collaborations could make zero trust prohibitively complicated.

"I still think there is a tremendous complexity as we continue to outsource capabilities," one official said. "How do you manage where you may have 50-plus software services, where your data is beginning to be stored in vendors' environments versus your environments? There are areas where we just don't have the 100% visibility within those environments."

A participant from one of the larger federal agencies agreed: "Where we ran into a lot of trouble was in defining the minimum standard for an identity. Does it have to be hardware-based? Does it have to be certificate-based? What's the minimum standard we give to someone to say, 'Now you can be trusted as part of this distributed federated trust'?"

You can't buy zero trust — but still, buy carefully

When the conversation turned to practical implementations, one official quipped: "Everyone knows all you have to do is just go buy it. It comes in a box. Just install it and everything works."

After the laughter subsided, though, several participants noted that procurement must be approached with an eye toward becoming zero trust-capable.

"I think people forget about the component technologies that make something like zero trust possible," one official said. "You're talking about things like flexibly defined software-defined networks. You're talking about things like strong Transport Layer Security certificate management. These things have to exist before you can even really start to approach a concept like zero trust."

The roughly year-old Federal Acquisition Security Council can help define best practices in this area, another official said, and yet another noted that the Defense Department's Cybersecurity Maturity Model Certification program could be "a foundational step to ensure that the network and the people we're working with are capable of protecting our data."

But ultimately, participants agreed, each agency must scrub its own acquisition stream to make sure the assets and services will support zero trust. And they stressed that this is just groundwork.

"All those things together help you get toward zero trust," one official said, "but none of them allows you to just stand up and say, 'We are zero trust now.'"

Zero trust doesn't get you to green

The issues cited above would apply to any organization moving toward zero trust, but the roundtable participants said federal agencies face an additional hurdle: governmentwide mandates and the compliance culture that comes with them.

The Federal Information Security Management Act "is very much not zero trust-friendly to me," one official said. "CDM is not there yet either. They're working that way, but it is very network- and on-premises-focused as well. We have to meet these mandates, and if they don't change, it will be hard for us to move forward on zero trust because that's a total shift in the concept."

The Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement also pose challenges, another noted: "These things are too out of date to even begin to look at something like zero trust. It makes these things really, really difficult for us to move forward and implement the right technology and the right security."

"We are incentivized to chase green on our dashboards," a third official said and added the Federal IT Acquisition Reform Act report cards to the list of potential roadblocks. "Nowhere in those dashboards does it say green equals zero trust. There's no button that says zero trust to make it better. "

It's important for vendors to understand that chief information security officers won't be sold on zero trust solutions just for the sake of zero trust, that official said. "The question is: If I implement your solution, what can I get rid of from a competing product perspective on a per-control basis? And how does it better my posture on these federal dashboards?" Only when those questions are answered will agencies have "the ammunition we need in order to pull the trigger on these solutions."

There are signs of progress, though. In addition to CDM's evolution and recent changes to the Trusted Internet Connections policy, participants pointed to the more collaborative approach CISA has taken over the past year.

"I think it bodes well for the federal government in general," one official said. "Yes, leadership chases green — they're incentivized to do it. But the green is sometimes the wrong green. The people who are writing those questions are now at least a little bit more open to figuring out what the right questions are."

Focus on the outcome (and start small)

Given the many complexities involved, most of the participants were focused on finding practical starting points rather than perfecting the larger framework.

As one official said about adopting zero trust: "At the end of the day, I've got to be able to answer one question: Is my data still protected as a result? If I can answer that question, I'm good."

Another recommended focusing on specific use cases: "Can enterprises with satellite facilities connect without compromising the entire network? Can contractors get access without compromising the entire network? Can collaboration across enterprise boundaries happen without compromising the entire network? That's really what we're talking about from a zero trust perspective."

Similarly, other participants emphasized starting with clearly defined functional building blocks. "How do we tackle lateral movement?" one asked. "What degrees of trust do we implicitly give to your Common Access Card, to your Kerberos token? What is the exact level of lateral movement that can come from those different things? And then start attacking that."

Specific applications can also offer a starting point. "A lot of people focus on devices and protecting the device, but it's actually the application that facilitates the access to that data," another participant said. "So that should be hardened."

All admitted that the complexity can be daunting. "Nothing is going to make this simple," said one official who urged focusing on the data layer. "But if we can start to define policy at the layer that we care about, we can at least simplify the approach and reduce the number of layers we have to take into consideration."

And while it's important to think about design principles at the enterprise level, there was strong consensus that implementations should start small.

"I'm of the opinion that the component technologies that enable something like zero trust can be small and have clear finish lines and run in parallel," one official said. "But I count myself personally fortunate that at my agency, nobody thus far has stepped up and said, 'We're going to have a [departmentwide] zero trust initiative' because that's intractable."