Today’s information technology has fundamentally transformed the way we work.  Mobility and the cloud have enabled workers to access applications and data from anywhere. Data, especially from the edge, is about to further transform the way government employees solve problems and deliver services to our citizens. This same technology has rendered traditional approaches to protecting our government systems and data insufficient. Multi-cloud, the edge and mobility have stretched traditional perimeter-based cybersecurity beyond the breaking point. Fortunately, Zero Trust is more than the latest buzzword. Zero Trust, powered by Artificial Intelligence (AI) and Machine Learning (ML), is a game changer that has the potential to substantially enhance government agencies’ abilities to protect their technology systems and data.


So What is Zero Trust?


Zero Trust is an approach to help achieve more pragmatic security for today’s world. It is a security architecture and enterprise methodology, not a technology or tool, designed to effectively coordinate today’s challenging combination of technologies, practices and policies.  It represents an evolution in our approach to security, focused on delivering a comprehensive, integrated, interoperable, holistic solution approach that integrates multiple vendors’ products and services. 


A Zero Trust Architectural framework involves restricting access to system, application and data resources to those users and devices that are specifically validated as needing access. It will then continuously authenticate their identity and security posture to ensure proper authorization for each resource to provide continued, ongoing access.


An effective Zero Trust Architectural framework coordinates and integrates across seven main areas of focus to create an enabling platform as shown.  Visibility and Analytics provide the awareness for Automation & Orchestration to coordinate security policies and actions across People, Devices, Network(s), Workloads and Data. 




Zero Trust Background
The construct, known as “Zero Trust,” is generally recognized to have grown out of the need to protect an organization’s systems and data on multiple levels using a mixture of encryption, secure computer protocols, and dynamic workload and data-level authentication and authorization, rather than relying solely on an external network boundary. 


This security concept, known as “de-perimeter-ization” is designed for a world where the traditional network perimeter is less effective as workloads are increasingly being delivered from the cloud and mobile endpoints are becoming the norm for application and data access. Deperimeterization grew out of discussions with corporate Chief Information Security Officers (in a meeting hosted by Cisco in 2003) and was formalized in 2004 by the international Jericho Forum group.  The term “Zero Trust” itself was created by Forrester in 2010 and has become increasingly popular within the security community over the last decade.  Today, the term Zero Trust Architecture (ZTA) is the generally accepted expression for a security environment that allows “no implicit trust.” 


Key Zero Trust Frameworks


Although “Zero Trust” is most commonly identified with Forrester (since they coined the term), many others have identified similar Zero Trust-enabling strategies and frameworks, with the most prominent being (in chronological order): Google’s BeyondCorp (cloud-focused); Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) (more threat focused); Johns Hopkins University Applied Physics Laboratory’s Integrated Adaptive Cyber Defense (IACD) (commercial-off-the-shelf (COTS) tool focus); and NIST’s Draft Special Publication 800-207 Zero Trust Architecture.  In recent years, Forrester has broadened their view of Zero Trust to cover both a Zero Trust eXtended Ecosystem and a Zero Trust eXtended Ecosystem Platform.


Foundational Zero Trust Architectural Considerations


Zero Trust today is really about an orchestrated approach to achieving the “de-Frankenstein-ization” of our current, dizzying approach towards security that uses dozens and dozens of security tools and products in an effort to protect an agency’s data, applications and workloads.  With an AI/ML-driven, software defined network environment, agencies can enforce privileged network access, manage data flows, contain lateral movement and provide visibility to make dynamic policy and trust decisions. 


A Zero Trust Architecture requires an open, scalable foundation to provide agencies with the means to support any relevant Framework that guides their specific security needs (NIST RMF/CSF, CDM, CJIS, HIPAA, etc.). This foundational approach should be comprehensive in nature and support integrated interoperability across any security policy, governance, identity, orchestration, and event and mobility management tools in which agencies have already made investments. 


Importance of Zero Trust to Federal Agencies


The Federal Government has launched numerous “Digital Transformation Initiatives” in order to “harness the power of data” to drive faster, more efficient decision-making to enhance mission outcomes and better serve citizens.  The implementation of comprehensive data strategies, enabled by evolving AI data-science algorithms, are essential for agencies to achieve these goals and for our nation’s continued world technological leadership.  Implementing a Zero Trust Architecture that protects data, systems and network infrastructures from growing cyber threats is an absolute necessity for any Federal digital transformation success and has been highlighted as foundational to numerous key security initiatives by the Federal CIO. A Federal Zero Trust Architecture must be capable of automatically translating an agency’s mission-focused intent into secure implementation of trust-based policies across the entire network environment at speed and scale.


Key Perspectives for Agencies to Embrace on their Zero Trust Journey


As we advise Federal agencies on their Zero Trust “journey,” there are several critical guiding perspectives that should inform their choices:
• Do not allow implicit trust for anyone or anything attempting to connect to key networks, systems, data or other resources;
• Explicit authentication and authorization should be made before allowing access, followed by continuous monitoring for changes;
• Be able to detect and effectively respond to anomalous activity in real-time; and
• Enable comprehensive visibility, analytics and proactive response actions across the entire communications access and security infrastructure.


Summary


One of the simplest ways to think about Zero Trust is to fine-tune the old Russian proverb, popularized by President Reagan: from “trust, but verify” into “Never Trust AND Always Verify.” This applies to every connection, every session and every request for access to critical agency applications, workloads and data. A Zero Trust Architectural approach ensures that every decision to access data by any device, user, or workload is securely authenticated and authorized at the speed of AI/ML-enabled networks. Successfully implemented, Zero Trust can help ensure secure and seamless operations across an agency’s entire information technology ecosystem and result in continual trusted access to an agency’s critical workloads, applications and data—thereby enhancing agency mission accomplishment.


To get a more detailed sense of the latest on the state of industries’ ability to support Zero Trust, download a copy of the latest FORRESTER WAVETM - Zero Trust eXtended Ecosystem Platform Providers at https://blogs.cisco.com/security/cisco-named-a-leader-in-the-2019-forrester-zero-trust-wave.


Steve Vetter serves as a Federal Strategist for Cisco. Steve has been active in PSC for over a decade, including chairing the IT Management and Budget and NASA Vision Conference panels.


Andy Stewart serves as Cisco’s Senior Federal’s Cybersecurity Strategist.  Andy is active in PSC’s Defense Services and Cybersecurity Maturity Model Certification (CMMC) efforts. 


Click here to download the PDF version of this article.


This article was published in the Winter 2020 edition of PSC's Service Contractor Magazine.