In the last few years, there has been a dramatic increase in both the number and sophistication levels of cyberattacks against federal agencies. And with a record number of federal employees relying on remote work technologies, agency network perimeters are expanding to almost unmanageable degrees. As a result, attack surfaces are expanding in ways that will inevitably overrun current federal agency network security models.
When President Biden issued his cybersecurity executive order (EO) last May, zero trust rose to the top of the list as the security standard that the federal government should strive to meet. But where do agencies even begin with their transition to a new cybersecurity framework? How will they overcome the funding and technological obstacles that they may face? And how will zero trust secure their Active Directory (AD), Microsoft’s directory service that many federal agencies use for component and IT management?
Simply put, federal agencies have a lot of questions about zero trust that they need answers to.
Last month, Quest Software and DLT Solutions sponsored the “Zero trust is critical for managing and securing Active Directory” webinar, where Quest’s Federal Technology Director, Chris Roberts, and DLT’s Chief Cybersecurity Officer, Don Maclean, demystified zero trust architecture and answered the burning questions that federal agencies are asking.
Here are six responses to the top questions surrounding federal agency implementation of zero trust architectures:
- Why should agencies pursue zero trust?
According to Maclean, zero trust is “a comprehensive rethinking of cybersecurity from the ground up.” He explained that agencies must recognize that what they’re “doing now isn’t working.” Unlike past models, zero trust recognizes the need to address security at all levels of an agency, as well as every aspect of an agency’s technologies.
With the combination of agencies migrating to the cloud, the proliferation of personal devices, and agency workforces relying on remote work environments, virtual network perimeters are dissolving and the attack surface is growing. Maclean explained, “As a consequence, we need to rethink security from the ground up, and zero trust approach is a way to do that.”
- What is the most important element of a zero trust program?
According to Roberts, the most important element is that an agency understands what its AD environment currently consists of, and that goes beyond just the physical hardware. Rather, it’s a comprehension of how it is structured. Agencies must be able to identify each user, resource, and group that is actively logging in and accessing the network.
Agencies must understand and be able to identify all of the AD components, architectures, objects, and users. But most importantly, agencies must understand where users will be using AD. Zero trust can enable authentication for each one of those connections and devices before access is granted to the network.
“In the old days, we had a fortress mentality,” said Roberts. “The agency was the castle that was surrounded by moats, draw bridges, and people in towers protecting the entire organization. That’s not the case, right now.”
If a federal agency employee has multiple mobile devices, laptops, and different servers that they’re using to access an agency’s network, the castle and moat type of perimeter no longer serves an adequate purpose. There is now an extended virtual perimeter that exists wherever the device is.
- What problems does zero trust seek to solve?
Roberts explained that network security no longer just pertains to blocking threat actors from intruding on a network, but rather protect against hackers after they’ve breached a network perimeter.
“A lot of attacks happen on the inside,” Roberts said. “To protect an organization means I just don’t validate who I am…I need to go a step further. And that is actually protecting what types of information I can access based on my role and responsibilities and the level of obligation I’m going to be granted.”
By implementing zero trust architectures, federal agencies are able to block hacks by requiring continuous user authentication at every turn. Maclean explained, “One of the problems we’re seeking to solve is the lateral movement and long dwell time of intrusions.” Once a hacker has breached the network perimeter, having a zero trust architecture would prevent them from moving throughout a network.
- Where should agencies get started on their journey to zero trust?
Roberts echoed his earlier sentiment that the first step is to start to understand exactly how an agency’s objects in AD are currently structured.
An example of this would be taking inventory and knowing the number of network domain administrators, which is by far one of the most significant breach risks to federal agencies. Roberts admits that he understands why admins prefer having their account privileges. But he gives a reminder to not forget that “our networks are no longer internal.”
He continued to say, “Our networks have a perimeter that could be at the edges of the earth. So, we have to consider just how much access we are granting to the individual. That’s one of the first areas to start with.”
Maclean advised zero trust newcomers to begin their journey by reviewing the National Institute of Standards and Technology’s (NIST) “Zero Trust Architecture” special publication, the U.S. Department of Defense’s (DoD) “Zero Trust Reference Architecture” document, and the NSA’s “Embracing a Zero Trust Security Model” guidance.
- What does success look like for a zero trust program? How do people know that zero trust is working?
According to Roberts, “Success looks like a fully deployed system with the right set of policies in place, the infrastructure policies and procedures to back it up, and the ability to report on that and actually hold everyone accountable. From the agency director all the way down to an end user.”
For Maclean, one of the key elements to a zero trust program is the ability to measure success as quantitatively as possible. Agencies must understand what the architecture is doing. From there, agencies must measure and see if the incident response is faster than it used to be. They need to track the number of attacks that make it through their defenses to see if it’s lower than it used to be. They must also measure and see if less data was lost compared to before zero trust implementation.
Maclean explained that all of this quantitative analysis can then be translated into actual “dollars and cents,” and demonstrate the level of success of an agency’s zero trust framework.
- What obstacles do federal agencies face when trying to adopt zero trust? And how can they overcome them?
“Mind, money, tech.” That’s how Roberts described the obstacles agencies face when implementing zero trust architectures for their networks.
A major obstacle that agencies are facing is shifting mindsets across all levels of the agency. That includes dealing with end-user pushback when previous access privileges may be changed, educating agency workforces on new zero trust procedures, and getting employees on board with the network security transition.
Harking back to last May’s cybersecurity EO, zero trust adoption was a consistent theme throughout the directive. But according to Maclean, “The good thing is that the executive order mandates a plan for how to do zero trust…The downside is that executive orders don’t come with money attached.”
The transition to zero trust is costly, and agencies will have to work hard to find room in their budgets to make the security jump. Roberts added to Maclean’s comment by saying, “The executive orders don’t come with money attached to them, but I do believe most agencies have already made investments in tools and technology to get started on zero trust.”
As for the technology hurdle, Roberts encouraged agencies to examine their current network architecture and evaluate their assets, resources, and systems of records. By doing so, agencies will better understand the “underlying bones” of what their zero trust architecture will be. From that point, agencies will have a better understanding of what their funding requests should look like, laying the groundwork for the transition to a zero trust framework.