On January 26, 2022, the White House released a memorandum titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles that provides a prescriptive plan for all agencies to move toward a zero trust architecture over the next two years. This memorandum follows President Biden’s Executive Order 14028, released last May on Improving the Nations Cybersecurity that directed the move to zero trust across the federal government.
As with other areas related to cybersecurity, from pipelines to transportation, the approach with this memorandum is to define objectives and provide specific guidelines. For example, each agency is required to designate a Zero Trust lead within the next 30 days. The overall Zero Trust architecture alignment is to be done before the end of FY 2024. So what now?
Unfortunately, meeting all of the objectives of Zero Trust is much more complex than can be described in this brief article, so we do not plan on laying out a step-by-step process for meeting the full memorandum objectives. However, we have chosen to address a few items and provide a few recommendations as to initial steps and lessons learned from past experiences.
Most of the Tools Are Available
If you have not read the ACT-IAC paper Zero Trust Report: Lessons Learned from Vendor and Partner Research, we highly recommend it. The government/industry group conducted a detailed survey of 165 companies implementing Zero Trust. The survey included companies building products related to Zero Trust and those integrating Zero Trust systems. A key finding is that most of the core technical components are available in one form or another. Additionally, from a federal perspective, there is a great deal of leverage available from the Continuous Diagnostic and Mitigation (CDM) program managed by CISA. For those not familiar with Zero Trust, this is not a new technology or methodology, Zero Trust is more about architectural constructs than new technology. The ACT-IAC report reflects this in its findings.
There are obviously a lot of activities involved in the implementation of the White House memorandum. We have decided to focus on three initial recommendations that should be addressed early in the process at federal, agency and sub-agency levels.
Recommendation #1 – Solve the Attribute Problem
Within the White House memorandum is the following paragraph:
Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC)12 is designed to do.
The problem with ABAC is not a technical issue; it is a large-scale enterprise coordination issue.
A key component within the Zero Trust Architecture is determining a level of trust for people, components, and applications. In the book Zero Trust Networks – Building Secure Systems in Untrusted Networks, the authors Evan Gilman and Doug Barth describe the concept of a “trust score” that software agents can use to determine actions within the environment. Other writers on Zero Trust have used different terms, but essentially, there needs to be a way to determine and label a trust level for assets within the environment.
As pointed out in the memorandum, a key element of Zero Trust is identity granularity based on ABAC. The concepts and technology for ABAC has been around since the early 2000s when Service Oriented Architecture (SOA) became the primary enterprise architecture. There were numerous federal and DoD programs targeting ABAC in the 2000s as the primary means for access control. Almost all of the major technologies support some form of attribute-based management. Given all of this, why are almost all federal agencies still role-based? The problem is not a technical issue; it is a large-scale enterprise coordination issue.
For ABAC to be successful, there needs to be a common set of attributes to make trust decisions. On a small scale, this is relatively straightforward. For example, Gilman and Barth use location, time of day, and other attributes that can be used for a trust score. If dealing with a reasonably homologous organization, this works well. Where identifying attributes gets difficult is at vast, diverse enterprises. For example, it is challenging to develop a common set of characteristics between an agent for the FBI and a financial analyst at the IRS.
This challenge with designating common attributes is why most organizations still use roles as their defining measure. It is common and understood. If you have this job, you have this access. Unfortunately, this type of access control will not meet the objectives of Zero Trust. There have been many efforts to define a core attribute list that can be extended. This is likely the best option. The government needs to determine if there is going to be a core attribute list, and if so, who determines what this should be. This needs to be done quickly. A three-year working group studying the issue will not fit the White House timelines. Another option is to have each agency determined attributes, but this limits moving to large scale Zero Trust implementation across the government.
Recommendation #2 – Don’t Put Off the Data Objectives
Item E of the Zero Trust memorandum addresses the Data Element of Zero Trust. Given that data was one of the last areas in the memorandum and a tough challenge in the Zero Trust journey, the conventional approach would be to first address identity, network, and applications and put off data objectives for the future. A lessoned learned from the SOA development in the early 2000s mentioned earlier is that this is a big mistake. The reality is that there is an inherent connection between making trust decisions and the data that is being secured.
The federal enterprise’s tagging, categorization, storage, and control of massive amounts of data is a major undertaking. The memorandum calls for the Chief Data Officers to define categorizations for datasets within the first 120 days. This is an easier task for smaller organizations, similar to the attribute discussion above. Defining a limited number of data categories, however, is quite difficult for an enterprise such as a major agency, never mind the Federal government. In addition, there have to be automated methods put in place to achieve this goal – it is not a working group task. Attacking the data issues early is a key element to achieving the Zero Trust goals.
Recommendation #3 – Remember Scale and Call the UX People
You may wonder why scaling to large enterprises and the user experience (UX) fit into the same recommendation. The reason is that when new approaches such as Zero Trust are implemented, two areas can eventually doom the effort; it doesn’t scale and users hate it. These are often tied together because the primary result of lack of scalability is poor performance and/or difficult work arounds to make it work.
Current development approaches call for starting small and expanding to large implementations. Though incremental and agile development is a good approach, waiting a year into development to see where scaling issues will arise is also not a good idea. We recommend the “break it early and a lot” approach throughout the Zero Trust journey. For each increment, flood the environment to see where the break points exist. In other words, improve scale at each increment.
Likewise, have the UX experts walk through the Zero Trust path along with the integration and development teams. One of the natural outcomes of Zero Trust is going to limit access to many things that users and systems can access now. How does that affect productivity? What is the best method for addressing dynamic access and sharing? At what point do multiple factors of verification override the threshold of usefulness? All of these are UX factors that should be addressed up front in the Zero Trust implementation.
These are just a few initial recommendations for consideration as the federal government, and any large enterprise moves to Zero Trust. There are thousands of hurdles ahead but the direction and schedule of the White House memorandum gives goals and a clear starting place. Now comes the implementation.
You can contact our team to learn how Evolver provides cyber operations across entire organizations, including endpoint security, network security, application security, identity management, and more. You can also learn more about all of Evolver’s cybersecurity offerings on our services page.