The federal government is adopting a zero trust cybersecurity strategy, emphasized most recently by President Biden’s extensive cybersecurity executive order and “Embracing a Zero Trust Security Model,” a new seven-page document from the National Security Agency (NSA) detailing zero trust, its benefits and challenges, and recommendations for implementing the model within agency networks.
Zero trust would combat two of today’s greatest security challenges: increased endpoints driven by telework and the misuse of privileged credentials — the likely cause of major recent breaches. In the NSA guidelines, these threats are known as remote exploitation and insider threat.
The executive order (EO) makes a prominent push toward zero trust architecture (ZTA), which is referenced 11 times throughout. There are specific timelines to develop ZTA plans but with an objective to move all types of systems closer to the concepts outlined by the National Institute of Standards and Technology. So what does zero trust actually mean and entail?
NSA defines zero trust as a security model that “constantly limits access to only what is needed and looks for anomalous or malicious activity.” Embedded in this model are comprehensive security monitoring, granular risk-based access controls and system security automation. It eliminates implicit trust and instead requires continuous verification of access and identity, following the NSA’s phrasing, “never trust, always verify.”
In the past, employees typically had access to data simply based on their initial log-in credentials, even though they may not require full access for their specific duties. The federal workforce became accustomed to the single sign-on (SSO) life.
Zero trust concepts change this approach by truly embracing least privilege and dynamic access. Employees should have access to exactly what they require, for the right reason, at the right time, and this should be verified. This means not only verifying an employee when they log on but also running systems in the background to continuously check IP addresses and other identification markers to verify the user’s identity. If a user has access, their privileges are not increased without additional verification.
Additionally, zero trust reduces unnecessary access to data to users that don’t need it. NSA recommends authenticating and explicitly authorizing users to the least privilege required. “Just-in-time” access goes a step further by granting the correct access to the right user when they need it. The concept of “just in time access” is a strong change from “persistent access” as part of a least-privilege model. Historically, security looks to limit access to the exact minimal permission needed to accomplish a task, but this permission is set and is always on. Just-in-time limits this permission to timeframes, whether it’s minutes or days.
Giving users the least access mitigates risk. For federal employees, this could be comparable to providing access to a contractor. The contractor should be given access temporarily while working on the project, but that access should be removed once the project is complete and limited during it to only the information they need.
Always verify, but gain trust
For government employees, there is an assumption that adopting a zero trust model will hinder productivity, that the implementation process will be lengthy and that continuous authentication measures will interrupt their workflow. In reality, it can be implemented with minimal work continuity interruption.
One often-overlooked and simple step can make a major difference: announcing the move to zero trust. As the NSA guidelines highlight, the mindset required for zero trust must be embraced fully throughout the agency, from leadership to administrators to users for it to work effectively. Announcing the intention to move in this direction allows leadership to establish expectations and provide accountability both externally and internally.
Agency leadership and administrators may become weary of a “never trust, always verify” mindset and practices, but once someone becomes lax, the entire model can be compromised. So, it’s important to gather buy-in early.
Agency leaders should also address concerns and emphasize the value of identity for their employees. Employees should understand that the adoption of zero trust is beneficial for their identity and critical to mission success. Additionally, employees should be assured that zero trust is not a way to catch users violating policy — it is meant to flag bad actors using their identity and protect them from identity theft.
Act as if you’ve been breached
Once expectations have been set and employee concerns addressed, implementing zero trust starts with establishing an accurate baseline that includes all accounts and access, including privileged access. A list of employees, contractors, third-party workers and their assigned level of access should be available and current.
The list should include access details, including whether an employee is logging on from a work device, laptop or phone when they’re logging on and the programs and files accessed. NSA defines this as establishing “full visibility of all activity across all layers.” A baseline for each identity can help quickly flag unusual behavior or variations.
Behavior analytics can provide more insight into user activity, length of login time, documents accessed and flag any suspicious activity. In order to spot stolen passwords or identity theft and distinguish a legitimate user from an intruder within the IT network, behavioral biometrics can be used for monitoring and providing data on typing and mouse movement characteristics, enabling to continuously authenticate the user without interrupting the workflow.
Next, federal agencies should authenticate all users, devices, data flows and requests for access. NSA recommends assuming a breach has already occurred so that the organization denies by default and continuously monitors all changes, resource accesses and network traffic for suspicious activity. Automated systems can continuously verify access and identity without relying heavily on workforce resources. The system can also flag and, if appropriate, freeze any accounts that cannot be verified. An employee can then follow up and determine whether the account should be granted access or flagged as a threat.
Frequently auditing accounts and access is key to maintaining a strong zero trust model. Accounts that no longer need access should be removed, and account access should be continuously reassessed to ensure that access is increased or decreased only to the level needed.
NSA recommends that each agency continues to provide access in a consistent and secure manner. They should use the same verification measures to “derive confidence levels for contextual access decisions,” effectively creating a reliable standard about who is allowed access and who is denied.
Contextual access decisions weight many factors — from assigned permissions to behavior. For example, the location of a user, the time they’re online and all of their credentials, potentially including measures like keystrokes, can establish a high level of confidence for sensitive data. For example, accessing a server during business hours on the East Coast from an East Coast IP address looks much different than accessing the same server in the middle of the night from a foreign IP address and running other commands not typical of the user.
Requesting access shouldn’t create a burden for users. Just-in-time access to privileged data can be granted as needed and removed once the task is complete or the user’s role is changed. It is less likely to impede productivity by adjusting permissions to meet needs in a timely manner, while ensuring privileges are not persistent and vulnerable to exploitation.
Most of the above steps require little day-to-day operational change for federal employees but require a mindset shift. The convenience of SSO will need to be superseded by an appreciation for strong authentication and why it’s necessary in today’s world.
As recent federal adoption and the NSA guidelines suggest, zero trust is a strong cybersecurity model for government. It will protect federal employees from identity theft and, ultimately, help IT teams by preventing breaches and reducing risk from the first anomaly.
Dan Conrad is an IAM Strategist with One Identity. He has been with Quest since 2007 where his roles have included Solutions Architect, Federal CTO, and IAM Strategist. He is an experienced system administrator having administered organizations ranging from 10,000 to 150,000 users. Dan holds a BS in Information Systems Management from Wayland Baptist University, an MS in Cybersecurity from Western Governors University, and holds many certifications to include CISSP, CEH, MCITP, and MCSE/MCSA.