For federal security teams, mission assurance is essential. Applications must remain available at all times to ensure the success of the mission.
The best way to achieve mission resilience is through Zero Trust principles. Grounded in the mindset that breaches are inevitable and a “never trust, always verify” mantra, Zero Trust can help government agencies build mission assurance into their security strategy.
To share Zero Trust strategies and best practices for mission assurance, federal cybersecurity experts Gary Barlet, Federal CTO at Illumio and former CIO at the U.S. Postal Service's Office of the Inspector General, Mark Stanley, Enterprise Cybersecurity Architecture for NASA, and David Bottom, CIO of the Securities and Exchange Commission sat down for a webinar with the Federal News Network.
Keep reading to get a recap of their discussion and key recommendations for implementing Zero Trust in your agency.
Why do federal agencies need to adopt Zero Trust for mission assurance?
A Zero Trust security strategy helps agencies answer the question: How do we succeed if something goes wrong?
“When all the systems are operating normally, that’s great,” Barlet explained. “But what about when things are under attack?”
Zero Trust assumes it’s simply a matter of time before a breach will happen. This mindset establishes security that will not only help teams be aware of and stop an attack but also keep systems running whether internally or deployed to the public.
As Barlet points out, “NASA can’t just turn things off in the middle of a launch,” and neither can nearly all other agencies. If systems get put offline due to an adversary’s attack, employees’ and citizens’ lives can be put in danger and agencies lose trust with stakeholders.
The panelists agreed that a set-and-forget approach to cybersecurity isn’t enough to keep systems mission resilient.
“Mission assurance is not a static exercise,” Bottom said. “Expectations and requirements are always changing. They need to be factored into the planning that we do.”
According to the panelists, part of this planning must involve a Zero Trust infrastructure that limits adversaries’ ability to move laterally through the network. This helps limit the blast radius — or impact — of an attack on the system and helps maintain resilience during an active attack.
“One of the key tenants of Zero Trust is this ability to limit the blast radius,” Stanley explained. “If someone trying to execute a malware attack [is] able to compromise my account, under a Zero Trust, least-privilege scenario, they would only be able to implement against those things that I have access to and nothing more.” Zero Trust, he added, “eliminates movement laterally across the network.”
As Barlet explained, this work is not something that ever ends or gets fully achieved. Zero Trust security is an ongoing process.
“There will never be an end of the Zero Trust journey,” Barlet said. “There’s never an end to the threats you face. So therefore, the journey of Zero Trust will never end.”
4 requirements for building mission assurance with Zero Trust
According to the panelists, these are their four key recommendations for agencies implementing Zero Trust:
1. Get end-to-end visibility
Crucial to that never-ending journey: “Having good strong visibility across your enterprise,” Barlet said. The word enterprise is critical. It means visibility not just of infrastructure elements, where agencies have traditionally installed perimeter defenses. Visibility extends to applications, data and the way they interact among one another.
“Applications have inner connectivity to which agencies are often blind,” Barlet said. To secure the CISA-named five pillars of Zero Trust, agencies “first need to understand what’s going on in their enterprise and how things are actually interconnected.”
“You need an objective look at not what people think is going on, but rather at what is actually going on,” Barlet said. “You need to see real time, those interconnections and that traffic flowing.” He added, when Illumio shows a client these dependencies and interconnections, “they’re usually so divergent that they have a heart attack, to be honest with you.”
2. Build flexible, adaptable architecture
Today’s networks change constantly. No longer can security teams rely on the traditional model of static networks that are slow to change.
“Any Zero Trust model or architecture has to be able to adapt to all those rapid changes,” Barlet said.
As agencies create and remove virtual machines or reconfigure settings, cybersecurity needs to follow those changes consistently.
3. Deploy Zero Trust in all environments, including endpoints, OT, and IoT
All three experts agreed that Zero Trust must extend to user devices, not just users, and to OT and IoT that interact with the network.
According to Stanley, his team constantly monitors NASA systems’ device activity. They look for anomalies that can change the level of confidence in a particular access attempt.
“The beauty behind Zero Trust is that it’s monitoring activity and adjusting scores in real time,” Stanely said.
This ensures that any issues get quickly seen, prioritized, and addressed by NASA’s security team to ensure the mission can continue.
4. Build Zero Trust security into development processes
Barlet recommended that Zero Trust principles move into new application development in DevSecOps processes. Developers are using open-source code, and cybersecurity must incorporate Zero Trust to secure these applications.
“The reality in code development today is that nobody’s writing every single line of code by themselves anymore. They’re downloading modules and using open-source code,” Barlet explained. “All of these pieces of software have dependencies and interconnections the agency needs to be aware of and incorporate into the Zero Trust scheme.”
Agencies can see these dependencies by getting visibility into network communication flows. Then, they can set security policies that ensure any vulnerabilities are closed and only allow access that is necessary.
Data Center and Cloud Security: Application Mapping
Walk the floor of any tech conference and I can guarantee that visibility will be the first word you mark on your buzzword bingo card. It appears at just about every booth. But just because a solution has visibility doesn’t mean that you’re seeing what you need to accomplish your goals. Especially when it comes to security.