Zero Trust: An Updated Approach to Agency Cybersecurity
RESEARCH BRIEF
Executive Summary What is Zero Trust? The internet was built on trust. Engineers assumed that only those who were supposed to use it would be authorized on the newly created government and research network. As such, they focused most of the underlying protocols on functionality, not security. Fifty years later, the internet has evolved into a global platform that is used for everything from communications to education, and as a cornerstone for both serious business and entertainment. Agency IT infrastructures have also evolved from closed, defensible systems to complex distributed networks accessible by users and devices worldwide. The old trust model no longer works. The current reality requires a trust model that accepts the fact that agency networks no longer have defensible perimeters and that malicious actors can be inside the network using legitimate credentials in addition to attacking from outside. The new model must also protect users from themselves, mitigating the damage that can happen when well-meaning users make innocent mistakes that can result in security compromises and data breaches. The updated model focuses on validating connections, tracking user and device activity throughout the network, and using granular enforcement of need for missiondriven access based on user/device characteristics, the data in question, the application and other criteria. That updated model is called Zero Trust.
What is Zero Trust? Zero Trust is an approach to defensein-depth, and the concept is as simple as its name. “It starts by saying, ‘Don’t trust by default,’” said Jim Richberg, Field Chief Information Security Officer at Fortinet, a leading provider of security-driven networking for governments, enterprises and service providers.
How well do you understand the concept of Zero Trust?
Is Zero Trust security a component of your agency’s cyber strategy?
It doesn’t mean that agencies assume their users are untrustworthy, but rather that they should “assume that the bad actor is in the network and always verify access requests,” he said. Once users have been granted access, you must keep an eye on what they are doing while on the network. Like many simple concepts, effective implementation in the real world can be challenging. GovLoop, Fortinet and Carahsoft recently teamed up to conduct a survey of more than 100 federal, state and local government and industry employees. A little more than half of respondents said they were very or fairly familiar with the concept. But more than half said that Zero Trust was either not yet a part of their agency’s cybersecurity strategy or that they didn’t know.
The evolution of agency networks and the threats they face warrant changes in assumptions of trust in cybersecurity. A Zero Trust model defends against both mistakes and malicious activity from both inside and outside the network.
Zero Trust: An Updated Approach to Agency Cybersecurity
3
Why Zero Trust Today? “The idea of Zero Trust is not new,” said Fortinet’s Richberg. “It goes back 30 years. But the evolution of IT and of the threat actors are making it more important now.” In fact, much of the foundational work defining the requirements and principles of Zero Trust computing was done by the federal government. Mainframe computing with dedicated computer rooms and limited network connections made it possible in the past century to protect the IT infrastructure with physical security. The client/server model expanded the perimeter, making it virtual rather than physical. Firewalls and antivirus products defended this new perimeter. They are outward-facing tools that assumed the bad guys were outside trying to get in. Despite the expenditure of millions of dollars on these tools, the Government Accountability Office (GAO) has designated national cybersecurity as a high-risk area continuously since 1997, declaring in its most recent report that “federal agencies…need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data.” Today, with the rapid adoption of cloud computing, remote access by mobile devices and the Internet of Things, the network perimeter has effectively disappeared, making outward-facing defenses as outdated as the Maginot Line. More than 70% of respondents said their agencies had a very clear or somewhat clear picture of the people and devices on their networks. But the steady drumbeat of data breach reports from government and private industry shows that this picture is not effectively protecting their data and other IT resources.
Does your agency have an accurate picture of all the devices on the network?
4
Research Brief
Does your agency have an accurate picture of all the users on the network?
Self-portrait of the Curiosity Rover.
Source: NASA
Ponemon’s latest “Cost of Data Breach Report” analyzes data breach costs reported by 507 organizations across 16 regions and 17 industries. The average total cost of a data breach to an organization is $3.92 million globally. The U.S. average is the highest in the world at $8.19 million. The “2020 Annual Cybercrime Report” by Cybersecurity Ventures estimates that “cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.” Financial loss is not the only measure of the threat. Sensitive and classified government data is also at risk in agencies, from insiders and outsiders alike: •
According to a NASA Office of the Inspector General (IG) report from June 2019, an unauthorized person accessed NASA’s Jet Propulsion Laboratory, making off with highly sensitive information, including details about NASA’s Curiosity Rover. The hacker went undetected for 10 months and had access to many critical projects.
•
Reuters reported on Feb. 20, 2020, that the Defense Information Systems Agency (DISA), which provides security for sensitive executive branch communications, believes a breach between May and July 2019 could have compromised data on its systems.
•
The Washington Post on March 22, 2020, reported a “major privacy incident” at the Federal Emergency Management Agency (FEMA): a possible breach of information on 2.5 million persons who had sought disaster assistance. An IG report states that FEMA became aware of the problem in December 2019, when the agency installed a data filter to spot inappropriate sharing of the information.
There is an opportunity to improve current cybersecurity models to better meet the needs of today’s networks. A Zero Trust platform uses visibility into IT networks and systems to identify all users and devices and assign only appropriate access privileges. It also monitors activities to identify, stop and remediate malicious or inappropriate activity. All those components will improve today’s security models.
Zero Trust: An Updated Approach to Agency Cybersecurity
5
Challenges – Mountains or Molehills? Most agencies know they need better visibility into their networks and greater control over who is on them. Along with their industry partners, these agencies have begun to turn to Zero Trust as a model for their cybersecurity. “We’ve been trying to do it for a long time,” Richberg said. “As the technology gets better, we are getting better at doing it.” Three-quarters of survey respondents said their agencies already authenticate users and devices on their networks. This is a start. But the complexity of today’s networks can make fully implementing a Zero Trust architecture a daunting task. Zero Trust requires authenticating the identity of users and devices every time they appear. Determining the access privileges each user needs for each task and monitoring all activities even after authentication require very granular control. Implementing this on distributed networks operating with technology ranging from Cold War-era systems to cloud architecture is a complex task. Moving beyond traditional authentication of users and devices is just the beginning. Correlating additional factors such as device type (and supply-chain characteristics), user location, time of day, date and frequency of connections into a risk-scoring model further adds to determining persona-based “trust levels.” But doing so allows agencies to tailor access to the task at hand, so that if a user needs to read data but not write to a file or delete it, they are not granted those additional privileges for that transaction or session.
6
Research Brief
Does your agency authenticate users and devices before allowing them to access network resources?
On the technology side, full implementation requires powerful hardware and computing power. On the people side, it requires new policies, new business processes and new workflows that can change the way agencies function. “People look at it as a Mount Everest,” Richberg said. From the bottom, the task of getting to the summit looks impossible. But the secret to getting there in many cases is to just start climbing. Zero Trust is not an all-or-nothing proposition, and agencies don’t have to reach the summit in a single leap. Even if the ultimate goal is a long way off, they can realize benefits by taking the first steps. “You can crawl, walk and then run with your implementation,” Richberg said. “You’re probably already doing some of it.”
Does your agency practice least privilege, allowing users to access only those resources that they need to do their jobs?
Although retrofitting and applying new policy to legacy systems can be challenging, regular technology refreshes and IT modernization programs offer the chance to implement Zero Trust principles on a step-by-step basis as agencies upgrade their systems. Rudimentary network segmentation to support different levels of access privilege is a useful first step; more dynamic segmentation with automated traffic monitoring and analysis can follow later. In our survey we found that 69% of respondents were already practicing “least privilege” in their agency. Least privilege is the principle that each user should have only the privileges on the network they require to do the job at hand. When the job is done, those privileges should end and they should be assigned new ones as needed. As more agencies move critical applications to the cloud under the federal Cloud Smart strategy, they have the opportunity to implement Zero Trust security in this new environment. Agencies have ultimate responsibility for the security of their cloud environments, but cloud service providers should offer the visibility and control that agencies need to implement Zero Trust. Like any security model, Zero Trust is a continuous process rather than a static end state. Agencies should not hesitate to begin just because the goal seems distant.
Zero Trust: An Updated Approach to Agency Cybersecurity
7
The Technology You Need is Now Available The basis of a Zero Trust strategy is policies, rather than technology. It’s a logical extension of least privilege.
stops truly malicious users in their tracks and shines a spotlight on their presence and activities.
Under Zero Trust, least privilege begins with the access request. That means no trust — and no access — by default. Agencies should grant trust as appropriate, based on the access credentials presented; the type and condition of the user’s device; and the time, location and type of connection. If any of these raise doubts, trust can be limited or denied. Agencies should constantly reevaluate trust as they monitor activities on the network for anomalous behavior throughout the session.
It’s true that agencies need good technology to carry out this strategy, but as Richberg observed, they have probably done some of the groundwork already, and likely have at least some of the necessary tools on hand.
This not only protects agencies from malicious users, but also from good users taking accidental actions that could compromise security. Because each user has privileges only for the task at hand, and because they are constantly evaluated, most innocent mistakes that could result in a critical security problem will be outside those privileges and denied. This also
Which cyber solutions does your agency use?
8
Research Brief
Few, if any, agencies have fully implemented Zero Trust in their cybersecurity posture; however, more than 70% of respondents reported using some form of network access control (NAC). Two-thirds said they use identity and access management (IAM), and more than half have segmented their networks with internal firewalls. About half are using centralized authentication services and multifactor authentication. But far fewer are actively scanning traffic and endpoint security.
It is not enough to merely verify user credentials before allowing access to network resources, said Jim Harrison, Fortinet’s Director of Federal Civilian Sales. “You need to have an agent of some sort on the device to identify it and analyze its compliance with security requirements,” Harrison said.
Agencies must also have an accurate inventory of network and information resources so that they can be aware of what they need to protect. Agencies should continuously evaluate these resources for risk, which includes the likelihood of an exploit or breach and its potential impact.
Apart from authentication and authorization, there must be a way to gather and analyze data to spot suspicious or unusual behavior. “As an example, you need to know when someone is downloading more information than is normal,” or exfiltrating it to an improper location, he said.
Integrating separate tools to bring together as much of this information as possible for analysis is necessary for agencies. It will allow them to know who is on the network and what they are doing, and understand whether the behavior is appropriate or whether to flag it as suspicious.
According to Felipe Fernandez, Director of Systems Engineering at Fortinet, the basic suite of tools needed to implement Zero Trust policies includes:
Bringing all of this together can be daunting. But as systems become more integrated and automated, agencies can realize benefits by taking advantage of machine learning and automated decision-making. Policy automation and artificial intelligence can take mundane tasks associated with monitoring networks away from humans.
•
IAM to identify users and devices and grant appropriate authorities
•
NAC to enforce policy associated with access and privilege
•
An endpoint agent capable of User and Entity Behavior Analytics to recognize activity that could be malicious or otherwise dangerous
•
Security Information and Event Management to integrate and correlate data from a variety of sources.
•
A next-generation firewall capable of handling segmentation, encrypted traffic and deep-packet inspection at the application layer (layer 7) to help understand what applications users are accessing
“It can really take a lot of the heavy lifting off the backs of the security operations team,” speeding response times and freeing those workers for other parts of the job that require their skill and judgment, Richberg said.
Zero Trust: An Updated Approach to Agency Cybersecurity
9
Zero Trust Policies Taking Shape Although implementing Zero Trust appears challenging, agencies can realize benefits by beginning with simple steps, taking advantage of regular tech refreshes and IT modernization, and leveraging cloud computing. Some federal agencies are exploring Zero Trust with pilot programs, and the Office of Management and Budget and the National Institute of Science and Technology (NIST) are creating roadmaps for adoption. “That kind of policy guidance is helpful,” Harrison said.
It held a technical exchange meeting on the subject in November 2019, with presentations from the Homeland Security Department, DISA, NASA, and the Alcohol and Tobacco Tax and Trade Bureau, plus industry partners. NIST also released a second draft of Special Publication 800-207 on Zero Trust Architecture in February 2020, including deployment models and use cases for implementing Zero Trust.
The NIST National Cybersecurity Center of Excellence has worked closely with the Federal CIO Council, federal agencies and industry to address the challenges and opportunities for implementing Zero Trust architectures.
How Fortinet Helps
10
Visibility into the network and its users, together with the ability to integrate data, monitor, analyze and make decisions, are keys to a complete Zero Trust strategy. Fortinet’s unique Zerotrust Network Access framework uses a tightly integrated collection of security solutions to provide these requirements.
•
FortiNAC, which discovers and identifies devices on or seeking access to the network and scans them to determine their type and security status. Zero-trust Network Access addresses the challenge of off-network devices with client- and cloud-based solutions.
“A lot of our products are Zero Trust by default,” said Richberg, and integrate with other vendors’ products already in the network. Together, they give agencies the ability to see, understand and act. Those tools include:
•
FortiAuthenticator provides authentication, authorization and accounting services, supporting FortiToken for two-factor authentication and applying appropriate access policies to all users
•
FortiClient combined with FortiEDR to deliver advanced, real-time threat protection for endpoints both before and after an infection
Research Brief
Conclusion Modernizing government IT requires adopting a Zero Trust approach for effective cybersecurity, and the trends leading in this direction will continue. COVID-19 created a surge of telework in government that is unlikely to change when the pandemic passes. Two-thirds of survey respondents said they expected to see growth in their agencies’ remote workforce in the next two years even without the need for social distancing. Government IT leaders who are ready to take advantage of the Zero Trust model for security can begin by leveraging the experience of their peers in government, technical guidance from NIST and the expertise of their industry partners.
ABOUT FORTINET
Fortinet (NASDAQ: FTNT) provides federal government customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and in the future. The federal government owns some of the world’s most sensitive—and coveted—data. Compromised systems can lead to disastrous consequences—for national security, the economy, and technological innovation. By providing integration, automation, compliance, and performance at scale, Fortinet offers federal agencies world-class solutions for on-premises perimeter security, secure remote access, multi-domain networks, advanced threat protection, zero-trust network access, operational and security awareness, third-party and insider threat protection, and many other needs. Learn more at www.FortinetFederal.com.
ABOUT GOVLOOP GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 F: (202) 407-7501 www.govloop.com @GovLoop