Analyzing and implementing a national zero trust architecture

This October, we once again find ourselves observing National Cybersecurity Awareness Month. While this effort traditionally targets consumers and businesses, the U.S. government has a unique interest in cyber awareness.

The theme of the first week implores individuals and organizations to #BeCyberSmart, by highlighting best security practices while focusing on general cyber hygiene to effectively protect personal and company data. This includes using multi-factor authentication, backing up data, and updating software.

These basic practices are just a small part of the larger zero trust (ZT) security model, which is based on the concept such of “never trust, always verify,” multi-factor authentication, least privileged access, and micro-segmentation.

The zero trust security model has been around for over a decade, but did not reach widespread adoption until recently. But as today’s perimeter-based cybersecurity solutions continue to fail and produce news reports about high-profile data breaches and ransomware attacks, zero trust security continues to gain traction.

Zero trust and the U.S. government

The recent release of the Office of Management and Budget’s Federal Zero Trust Strategy, CISA’s Zero Trust Maturity Model, and Cloud Security Technical Reference Architecture documents represent a major step toward improving the U.S. government’s cyber defense capabilities. Triggered by Executive Order 14028, “Improving the Nation’s Cybersecurity,” the release of these draft reference models and guidance help government agencies accelerate their transition to a more secure, ZT-based approach to cybersecurity.

Getting the entire U.S. government to transition to a ZT security-based model represents a massive undertaking and requires careful planning, considerable resources, and multi-year, multi-phased, agency-specific implementation plans. For larger government agencies, such as the Department of Defense, that operate thousands of networks, tens of thousands of systems and applications and have hundreds of thousands of users and devices deployed worldwide, a comprehensive rollout of ZT throughout the enterprise could take 10 years or more. Nevertheless, significant security improvements in areas such as identity, data and network security could be achieved within just a few years.

Overcoming national zero trust concerns and obstacles

Two of the biggest challenges chief information officers within the affected government agencies will face with the administration’s mandated ZT adoption and its accelerated timeline is budget and resources. OBM, CISA and the National Institute of Standards and Technology (NIST) only provided the frameworks and ZT architecture needed to get started. It is still up to the individual agencies to budget for their ZT implementation, re-architect their current IT environments to comply with NIST’s ZT Architecture (ZTA) standard (NIST SP 800-207), identify the necessary internal and external talent, select relevant ZT technologies and vendors, re-accredit their systems, and retrain their workforce.

To help its government and commercial clients speed up their ZT adoption journey and to better manage the associated ZT migration risks, a platform-based approach to ZT will be necessary. Leveraging a NIST ZTA standard-compliant platform promotes interoperability, scalability, and extensibility. It also avoids vendor lock-in and allows organizations to start their ZT journey in areas in which they currently might have the highest exposure risks, such as networks, identities and access management.

Once the initial areas of concern have been addressed, other ZT focus areas, such as data, workloads and devices can be addressed. Developing a ZT strategy, conducting a ZT maturity and gap assessment, and creating a phased implementation plan are key to a successful ZT deployment.

The future of zero trust

Quantum supremacy refers to the point at which a quantum computer reliably does something that no conventional computer can do in a reasonable amount of time, e.g., break widely-used asymmetric encryption algorithms in record time. This poses a unique risk to global commerce, enterprises, consumers, and national security as it effectively renders many of our best data security and secure communication technologies useless.

The preparedness for the arrival of Quantum Day may rely on ZT strategies as nations work to prepare for the cyber risks that will inevitably accompany these computing advancements. While Q-Day isn’t predicted to arrive for another five to 10 years, preparation requires immediate action.

The principle of ZT is simple: trust no one, even if they work for your company, as employees can maliciously or ignorantly leave organization data vulnerable and accessible for a breach. It will likely take organizations several years to truly achieve comprehensive, multi-level ZT security, so it’s better to start now than wait until it’s too late to remediate.

As individuals, organizations, and now federal agencies acknowledge Cybersecurity Awareness Month, implementing zero trust will certainly be a top priority not only this October, but every month and day following.