I spoke to a Federal Security Operations Branch Chief at a civilian agency last week. Zero Trust continues to get his attention, especially at the endpoint. He wants to immerse himself in Zero Trust principles when the inevitable day comes down from the office of the CIO that he must implement a Zero Trust architecture. He also relayed that his CIO has compliance pressures on the agency HVAs (high value assets). Even this branch chief has his own subset of HVAs. I am sure this pressure has something to do with wanting to improve their overall FISMA score – since part of the scorecard specifically calls out HVAs.
While there is a “buzz” around Zero Trust at this agency, getting down to brass tacks in terms of selecting a clearly defined event or use case for starting a project can be overwhelming. This reminds me of someone wanting to write a novel and not knowing where or how to start. While learning the principles of writing is always good, it will never be enough – just like only knowing the principles of Zero Trust will never be enough. It’s in the writing itself that one starts to develop the habit and consistency of writing. If you want to write a novel, then keep a journal for consistency and seek out the opportunity to write articles or even short stories to expand your writing skills.
If you want to implement Zero Trust in your organization, start by figuring out the critical security priorities and current Zero Trust capabilities. Define what your desired Zero Trust end-state would look like. When you have a narrowly scoped Zero Trust problem, objectives, and desired outcome, it is easier to solicit the support from your key stakeholders.
NIST 800-207 states as much when it says Zero Trust is a journey, and the goal should be to implement Zero Trust incrementally. You don’t want to be overwhelmed later by trying to write that novel without a short story or two under your belt. Why wait for a compelling external event like a breach, malware, or a zero-day attack? Start your Zero Trust pilot project today.
In order to recommend a good place to start the agency branch chief’s Zero Trust pilot project, I wanted to know more about his HVAs – and the importance of improving visibility into HVAs – their components and legitimate connections. A few key questions are:
- What applications are considered HVAs?
- What are the application components of these HVAs?
- What does the application tier, networking and compute infrastructure look like?
- Are you using containerized applications?
- What are the legitimate application/workload connections to the HVA?
- What are the legitimate end-user and endpoint connections to the HVA?
Visibility and accurate data on the components and connections to HVAs is essential. The answers to these questions will help answer the issue of “where to start?”
Once they have narrowed the HVA applications, the next step is to gauge the existing Zero Trust capabilities.
The agency’s current approach to securing its HVAs reveals its blind spots and points to opportunities for enabling Zero Trust.
Because of the rapid transition to remote work, it was also important to understand how their HVA security posture evolved.
I asked the branch chief to tell me more about his endpoints. The branch is currently implementing Carbon Black EDR for threat detection. As you may know, Carbon Black continuously records and stores endpoint data so that security operations professionals can visualize threats in real time for an ‘attack kill chain.’ In most instances, once the attack has already occurred, it may be too late. Your mission could be compromised or your data already exfiltrated.
To truly implement Zero Trust at the endpoint, you must stop malware before it executes – and most importantly, stop the malware from spreading laterally. The agency can augment its endpoint and EDR investments by proactively controlling the inbound peer-to-peer connections to endpoints by using an “allow-list” of legitimate connections and denying everything else. This is the heart of Zero Trust at the endpoint. He certainly has an opportunity to start a Zero Trust pilot project at the branch’s endpoints.
When I probed a bit deeper about the HVAs in the context of lateral movement attacks within its data center and cloud environment, the branch chief noted that loss or corruption would have a serious impact on the branch’s ability to perform its mission. The HVAs are a combination of years of accumulated data. The applications involved have to do with the analysis and visualization of this data. To date, the majority of their investments in Zero Trust focused on perimeter network segmentation and on user identity and access governance. These solutions do not address the weaknesses of an open and flat internal network.
If you are adherent to a true Zero Trust architecture, you must assume a breach already occurred. Once the packet is inside your network perimeter, malicious actors will head straight for your HVAs with nothing standing in their way. Clearly, securing east-west traffic of HVAs is another area where a Zero Trust pilot project can start now.
We have identified his branch’s endpoints and HVAs as two areas to start a Zero Trust pilot project.
The next step is to count the number of endpoints and the number of workloads and applications that will be part of the pilot project. A small pilot project can have as few as 50 workloads and endpoints or as many as a few hundred, and the pilot will involve the segmentation and micro-segmentation of these items. The key is not to get overwhelmed by any potential complexity.
Next step: host-based micro-segmentation
The next step is to load what NIST 800-207, section 3.1.2 calls out as “host-based micro-segmentation using software agents.” With Illumio’s solution, you load a lightweight software agent on each workload, application, or server. The agent merely reports context and telemetry on your network back to a ‘central brain’ that builds a baseline real-time application dependency map. This map is critically important from a monitoring point of view as it maps to NIST 800-53 and the RMF (risk management framework). The first RMF ‘bucket’ is identify, providing real-time application dependency mapping to enforce micro-segmentation policy. You need to see what is happening in your network – from an application and workload perspective – before you can improve or enforce a Zero Trust policy.
It can take less than five days to roll out a Zero Trust pilot project using host-based micro-segmentation, especially if the scope and desired outcomes are well-defined and there is training to show the person tasked with this pilot the most efficient ways to proceed.
The branch chief’s only hesitation was owing to resource constraints. He didn’t have a person to devote to this effort. Is a three to five day investment worth it to expand your writing to a habit – to expand your knowledge of Zero Trust from studying to actually implementing?
In addition to a well-defined scope, having a clearly defined and measurable outcome is important to selling your Zero Trust pilot project internally. Improvements in specific areas of the FISMA CIO scores are just one of the desired outcomes and measures of project success that the agency may want to consider. For example, the agency branch can use the Illumio traffic reporting to validate the identity and scope of the HVA application components and connections and use micro-segmentation as a compensating control, enhancing its protection scores. It can also use Illumio’s vulnerability maps to validate if a vulnerable system can be used as a lateral attack pathway, further enhancing its FISMA scores. These metrics and visibility are even more important with the recent hacks into US government networks.
Once you implement your Zero Trust pilot project and demonstrate measurable desired outcomes, expanding it is very straightforward – adding additional applications, workloads, and endpoints until you have written your novel: an agency-wide Zero Trust architecture.
To learn more about how Illumio can help federal agencies secure high value assets and accelerate Zero Trust, visit the federal solutions page.