At ANS we provide world-class network engineering and cybersecurity services that help secure the most critical government networks. Those network owners count on our expertise with the rapidly changing strategic and technological elements of cybersecurity to enable them to make risk informed security decisions. It is critical that we anticipate customer needs as they roll out new network configurations and cybersecurity capabilities. Zero Trust (ZT) is an example of a concept we must understand and prepare to support for our customers. Planned deployment of ZT capabilities throughout the government and private sectors has the potential to fundamentally change the nature of the networks we help protect, and will require us to develop new skills, tools, and methods to support our customers through this period of change.
In 2021 an Executive Order on Improving the Nation’s Cybersecurity was issued that mandates the federal government to “advance toward Zero Trust Architecture (ZTA).” Subsequent 2022 OMB memorandums M-22-09 Federal Zero Trust Strategy and M-22-16 Administration Cybersecurity Priorities for the FY 2024 Budget made it clear that ZT is a major focus for federal government network defense. In 2021 NSA, DoD, NIST, CISA, and even our allies at the UK NCSC all published ZT guidance in the form of architectures, frameworks, and maturity models to help speed understanding and adoption of ZT security capabilities. Similar work is occurring simultaneously across private sector organizations, with new white papers dropping almost daily from sources like Gartner, Forrester, and many other researchers. The vendor community is aggressively moving out to provide solutions for the evolution of public and private networks to ZTA, producing new products and updating existing products to provide the necessary capabilities.
Throughout 2022, work on ZT has accelerated in both public and private sectors with a focus on planning for widespread adoption, research and training, standards development, demonstrating solutions in testbeds using available commercial technology, and opportunities to add ZT concepts to widely adopted cyber security frameworks. Let’s discuss a few of those efforts.
The U.S. Department of Defense (DoD)
In early 2021, the DoD Chief Information Officer, John Sherman, announced plans to create a new portfolio office to manage the DoD Zero Trust Architecture Program. The effort was officially launched in January 2022, and in only a few short months produced a strategic plan that will enable DoD to achieve a target level of ZT capabilities across the DoD Information Enterprise.
This strategic plan, intended for release in October 2022, defines 45 ZT Capabilities, 42 of which are targeted for deployment by 2027. The document further details that these capabilities are comprised of 152 Activities, 90 of which map to the 45 capabilities planned for 2027. It also suggests three potential synergistic courses of action for deployment ranging from enhancing the existing DoD enterprise to more “greenfield” options for commercial and private cloud-based network architectures.
Additionally, the portfolio office completed a 2.0 update to the DoD Zero Trust Reference Architecture originally published in 2021, to be released as an aid in implementing the strategic plan by serving as an authoritative guide for DoD ZTA and solutions. They also plan to publish a DoD Zero Trust Capabilities Roadmap containing timelines to implement ZTA across most DoD enterprise systems beginning in 2023 and depicting ZT capability advancement across all seven DoD defined pillars, capturing predecessor/successor capabilities.
NIST NCCoE Zero Trust Architecture Implementations (NIST SP 1800-35)
In August 2020, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-207 Zero Trust Architecture. As the first US Government publication addressing the concept of ZT in significant detail, it has influenced all later ZT publications, including NSA’s Embracing a Zero Trust Security Model, CISA’s Zero Trust Maturity Model, the DoD Zero Trust Reference Architecture v1, and of course the DoD’s forthcoming Zero Trust Strategy and Zero Trust Reference Architecture v2. In SP 800-207, NIST introduced all the basic tenants of Zero Trust, defined the logical components of a ZTA, and discussed many of the other concerns related to migrating to a ZTA.
The National Cybersecurity Center of Excellence (NCCoE), a part of NIST, has begun to build a series of exemplar ZTA solutions in their Zero Trust testbed in collaboration with a group of 32 ZTA technology providers. The project goal is to use commercially available technology to build interoperable, open standards based ZTA implementations that align to the concepts and principles in SP 800-207. Multiple scenarios are planned in diverse enterprise testbeds, leveraging distinct sets of vendor security products as integrated ZTA solutions. This effort is an iterative process with results shared through updates to NIST SP 1800-35 Volumes A – D after each iteration, as appropriate.
The preliminary drafts of all volumes of SP 1800-35 documenting the details and results of the first functional demonstration are available for review on the NIST ZT website. Sufficient details are provided to duplicate both the testbed environments and the functional demonstrations if desired.
The results of the first experiment (described in the publication as the “crawl phase”) were predictable. All the solutions used for this demonstration integrated well within their own vendor ecosystems and provided the desired capabilities. However, many of the vendors used do not integrate outside those vendor specific ecosystems out-of-the-box (NIST uses only integrations provided by solution vendors rather than custom integrations for this project.) This prevented implementation of all the desired enterprise ZT capabilities. The solution set chosen for this demonstration also lacked a Comply-to-Connect capability, so there was no way to prevent an endpoint from initially joining the network based on its authentication status by performing authentication and reauthentication of resources that host endpoints.
This NCCoE project is serving a critical role in providing examples of ZTA commercial solution integration, identifying gaps in the available technology, and highlighting problems with integration across vendor ecosystems. Hopefully new partnerships will emerge from this effort to address those technology gaps and the participating capability providers find ways to better integrate that provide holistic enterprise ZT solutions.
NIST Cybersecurity Framework (CSF) 2.0
Originally developed to meet the requirements of the Cybersecurity Enhancement Act of 2014, the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) has since become a best practice for cybersecurity applied by governments and businesses worldwide. NIST has begun updating this ubiquitous cybersecurity framework to keep pace with the evolving cybersecurity landscape through a series of workshops, the first held on 18 AUG 22. The secret to encouraging international adoption of the CSF v1 was strong stakeholder engagement. NIST plans to continue their history of transparent stakeholder engagement through a series of collaborative workshops, interactive development of multiple drafts, and use of dedicated Slack channels to produce the updated version.
This revision of the CSF is an opportunity to synchronize ZT concepts with the CSF. A key theme to emerge from the responses to the Request for Information (RFI) that preceded the first workshop was the desire to “Align the CSF with existing efforts by NIST and others” and “Ensure the CSF remains technology neutral yet can be applied to specific and emerging topics such as cloud, hybrid work, and zero trust.” ZT implementations would greatly benefit from the standard, vendor agnostic taxonomy that could be provided in the new version of CSF, enabling better mapping across any number of other cybersecurity frameworks in use today.
The Cloud Security Alliance
In March of this year, the Cloud Security Alliance (CSA) announced the launch of the Zero Trust Advancement Center in partnership with CrowdStrike, Okta, and Zscalar. The new center’s purpose is to explain ZT as a strategy in a vendor-agnostic setting, frame it with a set of guiding principles, and help provide context around the myriad of related solutions. To achieve these goals, they plan to:
In August, the CSA also launched a ZT Working Group focused on collaboratively developing Zero Trust standards to achieve consistency for cloud, hybrid, and mobile endpoint environments. This working group plans to perform research and produce deliverables such as specifications, architectural guidance, technical documents, thought leadership articles, position papers, and implementation guidance. This work will focus on nine workstreams:
The CSA has a long history of delivering on their promises for developing new architectures, specifications, and standards for cloud security. There is little doubt that they will be successful in developing new ZT focused security specifications, standards, and related architectures.
Conclusion
The level of interest in Zero Trust across the public and private sectors continues to grow and the level of effort applied to moving ZT concepts closer to widespread adoption is encouraging. However, most of the efforts discussed are moving forward without coordination or, in some cases, even knowledge of the other efforts. Zero Trust activities must be coordinated such that they share a common taxonomy, map to a common set of security controls where appropriate, and most important avoid contradictory guidance that will confuse and delay widespread adoption.
While it would be convenient to just buy Zero Trust in a box, no single vendor today provides all the solutions necessary to deploy a holistic enterprise ZTA solution. But many of them already have products that meet some of the requirements of ZTA, so progress towards implementation can start now. A common goal of all these efforts is to enable vendor agnostic implementations. To avoid having to develop “glue code” to integrate products from multiple vendor ecosystems, we need ZTA enabling data standards, command and control standards, interface standards, universal playbooks for automation, and maybe even dedicated message fabrics to make that vision a reality. Another option would be for coalitions of vendors to work together to provide integrated solutions in answer to government contracts, like they did for the DHS Continuous Diagnostics and Mitigation (CDM) program.
Achieving these goals requires true public/private coordination and partnership to ensure that we do it right the first time. All the efforts described in this article need to align and work together to ensure standardization of core concepts. And the standards bodies need to complete their work on ZT standards quickly to enable the ZT community to overcome the challenges of integration and deployment of solutions. Collaboration is key to success.
ANS is tracking these efforts, and in some cases participating in the working groups. All of us working in cybersecurity should ensure that network owners are aware of the ZT work that is underway and help them prepare for success. Proactively consider ways ZTA will force us to evolve the tools and techniques we use today. Take every opportunity to engage the ZT community to encourage synchronization of effort. We can all play a role in making ZTA a success. Let’s help make it happen together.