It has been more than two years since President Biden released his Executive Order (EO) on Improving the Nation’s Cybersecurity. Paramount to this EO was the directive for federal agencies to move towards adopting and implementing zero trust cybersecurity architectures.
At the beginning of 2022, the Office of Management and Budget issued a memorandum that took the EO’s efforts even further by explicitly directing federal agencies to meet specific zero trust cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024.
Now a year and a half away from the FY24 zero trust deadline, how far along have federal agencies come as it pertains to their zero trust implementation journeys? What challenges are they facing as they attempt to not only meet these security requirements, but simultaneously keep up with an ever-changing cyberthreat landscape?
To get answers to these questions, and to learn more about the tools and solutions that are available to facilitate agencies’ deployment of their zero trust architectures, the GovCyberHub sat down with Quest’s Federal Technology Director, Chris Roberts.
Here is what he had to say:
GovCyberHub (GCH): The last time you stopped by the GovCyberHub was just a few months after President Biden released his cybersecurity EO in 2021, and our conversation centered on how federal agencies could begin their zero trust cybersecurity journeys. Since the last time we spoke, how much progress have agencies made in developing and deploying their zero trust architectures?
Chris Roberts: The level of activity has certainly intensified. There are a lot more requests around discovery conversations. We get a lot of market research requests around the solutions that would be developed or deployed to support a zero trust solution.
Think of all those pillars within zero trust. Federal agencies are now shopping in earnest for a lot of those components. Now, granted, a lot of agencies have made progress because of CDM years back, which gave them some basic identity, logging, and audit type solutions. But now, agencies are truly trying to deploy a full-fledged zero trust architecture. And a lot of integration work actually has to happen now.
You’re seeing a lot more introspective conversations about how to integrate what agencies already have, in order to deliver on zero trust. On the flip side of that, you also see that industry is making progress, or at least taking it seriously, due to a component of President Biden’s EO that basically said, “In regards to zero trust, what are you all doing around supply chain management?” Industry knows the issues, since what occurred with Kaseya and SolarWinds. As a result, we now have policies and processes in place to address where software is coming from, who wrote it, etc. So, I know we’re making progress on that side, as well.
“…We are now seeing a rise in insider threats. Insider threats can be just as damaging, if not more so, than external threats.” -Chris Roberts
And we’re well on our way to being able to turn those statements into certification. That’s a key component of zero trust. It is not just access to information, but also how confident federal agencies are with regard to the actual solutions they are deploying to improve their delivery of zero trust architectures.
GCH: How has the threat landscape changed since the EO’s release in 2021? What are the predominant cyber threats that federal agencies are currently facing?
Chris Roberts: We like to think that there’s something new on the horizon, but what’s old is new. I can tell you that the threats we face are constantly evolving. However, the underlying motivations of threat actors remain the same: to wreak havoc on our national infrastructure. In the past, we focused our attention on external threats, such as nation-states and hacktivist groups. However, we are now seeing a rise in insider threats. Insider threats can be just as damaging, if not more so, than external threats.
One recent example of an insider threat was the leak of classified DoD data on a peer-to-peer social platform. This leak was a major security breach and posed a serious threat to national security.
In response to these evolving threats, we are shifting our focus to a zero-trust security model. Zero trust means that we no longer assume that anyone is trustworthy by default. Instead, we only grant access to users and systems on a need-to-know basis.
This shift to zero trust is essential to protecting our national infrastructure from both external and insider threats. However, it is not enough to simply implement a zero-trust security model. We also need to have a strong understanding of our users, their devices, and the data they access. If we do not know who our users are, what devices they use, and what data they access, then we are vulnerable to attack. This is why it is so important to have a strong identity and access management (IAM) program in place. An IAM program will help us to identify and authenticate users, control access to our systems and data, and monitor user activity. This will help us to prevent unauthorized access and mitigate the risk of a breach.
In addition to a strong IAM program, we also need to have a comprehensive security awareness training program in place. This program will help our users to understand the threats they face and how to protect themselves. By taking these steps, we can help to protect our national infrastructure from the ever-evolving threats we face.
GCH: What challenges are agencies currently facing as it pertains to them successfully implementing the network security measures and controls that comprise a zero trust framework?
Chris Roberts: Speaking as someone who has been on both the end user side as well as the vendor side, and looking across those chasms, the one unique qualifier that I’ve seen happen on both sides is getting collaboration between IT stakeholders on the actual mechanics of how zero trust architectures are deployed and used – with either new or existing tooling.
“The most often ignored reality on the road to zero trust is the role AD plays both now and moving forward.” -Chris Roberts
Vendors sometimes don’t like to make it easy to discern which product, solution, or tool can play a practical role in an agency’s zero trust adoption. That means that achieving alignment of internal political realities of who owns what and who does what pertaining to cross-domain security practice is something that has to come down from leadership.
As an example, many agencies have separation of groups with elevated privileges based on the platform. You have the Windows folks in one corner, Unix in one corner, and even cloud in another corner. You can have multiple areas where you have elevated privilege. That also needs to be controlled within a zero trust framework. But because of the political realities within a typical IT organization, that’s difficult to achieve. Zero trust itself cannot be successful without clear directives and guidance from senior leadership.
And they have to take an active participation in making sure that those directives based on the EO and the general principles of zero trust, can help managers and branch chiefs wind through the political realities of who controls what on the network, and who gets access to what on the network. That’s one of the biggest challenges that I’ve seen across the board.
GCH: Lately on the GovCyberHub, we’ve been discussing how federal agencies will most likely continue working in hybrid, on-prem Active Directory (AD)/Azure environments until they make the full migration to the cloud. Is the approach to zero trust different for on-prem AD and cloud-based Azure? What zero trust/cybersecurity advice would you give to agencies who are operating in hybrid environments?
Chris Roberts: The most often ignored reality on the road to zero trust is the role AD plays both now and moving forward. Having witnessed the initial creation of AD while working at Microsoft, the first and although not so obvious thing from a developer perspective was that AD is a very prescriptive, tuned, and specialized database. A lot of people don’t think of AD that way.
“The first piece of advice I would give would be – whether an agency is on-prem or in the cloud – are the basic NIST cybersecurity principles for managing technology.” -Chris Roberts
Understanding what that technology is at its core plays a role in determining the best way to leverage and manage it across the in-service lifecycle of that technology. In this case: Active Directory.
The first piece of advice I would give would be – whether an agency is on-prem or in the cloud – are the basic NIST cybersecurity principles for managing technology. Having the abilities to monitor, audit, protect, secure, and recover. And in this case, it would be in Active Directory. You need to have operational workflows with tooling to support these critical functions with regard to AD. We refer to this as Active Directory Life Cycle Management.
The second piece of advice would be understanding your current state for all the users, nodes, data, and APIs in use across the agency which impact zero trust, as well as what impact they will have on current functionality. For instance, applications sometimes expect local administrative privileges or service accounts to operate or even to install, which is often a problem with local rights on a workstation or server. Many systems assume unsegmented access to services across multiple control planes. To mitigate this risk we recommend our endpoint privilege access management solutions which controls all elevated controls on a given device.
For example, the biggest push in networking today is segmentation. When you segment a network and block off access, some applications or services will simply just break in a zero trust environment. And you have to architect for that and tool for that. Some applications have consoles that may not be in line with zero trust principles, or they offer internal backdoors to smooth the operations of the application. And managing resources and services in the cloud requires new and complex consoles to administer. This is often overlooked as well.
If you’ve ever looked at the Azure or an AWS console, there are dozens of consoles and tools to administer everything from a virtual machine or a virtual private network, identity management, to how containers are used, to database deployment, and to how networking is used. So having a complete long-term strategy to perform all these prescriptive actions, relative to Active Directory lifecycle management, is going to be a key success factor for any zero trust deployment across on-prem and cloud infrastructures.
“When you evaluate solution providers, agencies should consider and ascertain the breadth of those zero trust strategies from each vendor and their commitment to a progressive roadmap in supporting the defense needed in an ever evolving threat landscape.” -Chris Roberts
At Quest, we are open to assisting agencies in understanding what those best practices are, because they’re going to have to deal with both for quite some time to come.
GCH: What solutions are available to federal agencies that can assist them in developing and implementing their zero trust architectures?
Chris Roberts: Since zero trust is a framework, which requires an agency to build an architecture to support its deployment, the best practice is considering the broader set of components needed for each layer of delivery. What I mean by that is there are roughly seven components in zero trust, at least in the NIST framework and DoD ICAM has eight now since they added the user layer. Quest can address five layers in the NIST framework and six in DoD ICAM. Those layers or component areas: session management, access management policy and governance, monitoring/auditing, users, and logging. Those are six critical components to zero trust, and we address them all.
When you evaluate solution providers, agencies should consider and ascertain the breadth of those zero trust strategies from each vendor and their commitment to a progressive roadmap in supporting the defense needed in an ever evolving threat landscape.
Lastly, I would ask what is their level of commitment to meeting supply chain requirements within those executive mandates and DoD requirements. Just because they have a solution doesn’t mean it fits the bill for zero trust across the board. And will they be able to support that solution moving forward, given the mandates that are coming from the executive branch?