Industry Perspectives

Establishing a Zero Trust Architecture for Federal Agencies

Amid the ever-evolving, increasingly sophisticated cyber attack landscape, federal agencies are being urged to adopt a Zero Trust approach.

Today’s environment “calls for and needs a new approach for security, and Zero Trust architectures are going to be critical for helping [agencies],” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA), during a Federal Computer Week (FCW) webinar.

Organizations might be concerned that Zero Trust adoption will create greater complexity. However, with the right approach and platform, federal agencies can gain efficiency and avoid complexity while significantly improving overall security.

What a Zero Trust Architecture Looks Like

As the term suggests, Zero Trust is led by the principle of “never trust, always verify.” It is a framework of policies, technologies, and systems that are applied to users and devices.

For example, multi-factor authentication (MFA) is considered a core Zero Trust technology because it requires more than one piece of evidence to trust a user’s identity.

There are multiple technologies and capabilities that lend themselves to taking a Zero Trust approach. Implementing these functionalities and principles takes time. In a recent informational statement, the NSA recommends four stages toward Zero Trust maturity:

  • Preparation. Initial discovery and assessment activities.
  • Basic. Implement fundamental integrated capabilities.
  • Intermediate. Refine capability integration and further refine capabilities.
  • Advanced. Deploy advanced protections and controls with robust analytics and orchestration.

The NSA acknowledges that these stages don’t happen overnight. That’s why we believe organizations should look at this from a holistic standpoint. Agencies should seek to unify security and move beyond perimeter-based security, while increasing compliance with policy-based access controls.

We recommend four pillars to underpin a Zero Trust approach:

  • Verify the user. How does an agency validate that an individual accessing systems is, in fact, who they say they are? There should be automated policies that address access permissions, and these should be adaptive and dynamic to respond across different applications, clouds and on-premises systems.
  • Verify the device. Users may use multiple devices—laptops, smartphones, and desktops—to access organizational systems. Verification must be extended across all of these devices so that the user’s identity is validated every time they connect.
  • Limit access and privilege. Cyber criminals are typically attracted to personnel with administrative privileges to gain control over a business system, so it is important to limit lateral movement. The principle of least privilege must be considered thoroughly in all cases, ensuring users only have enough access to successfully do their jobs.
  • Learn and adapt. Information about the user, including their workstation, application use and server policies, should be collected and analyzed. Machine learning is beneficial for this; the technology continuously improves this process, allowing security teams to recognize unusual behaviors, determine risk levels and decide whether risks are acceptable. Accuracy and availability of data—logging, log feeds, depth of content—is crucial.

All of these pillars can be addressed by establishing a Zero Trust architecture (ZTA), as visualized in this diagram:

At a high-level, the ZTA is comprised of a control plane and a data plane. The control plane components are responsible for authorizing access to assets or resources. Actual transfer of information occurs in the data plane. Access to system resources is implemented by a policy enforcement point (PEP) in the data plane, which acts like a gatekeeper. It operates in consultation with policy engine and policy administration functions, and together these form the policy decision point (PDP). The PDP forms the control plane of a ZTA, which in turn is continually updated by inputs from the various control functions.

The Critical Ingredient: Intelligence Across the Architecture

Looking at that diagram, Zero Trust may seem daunting. However, with the right partner, agencies can move through the Zero Trust journey at their own pace. The common thread is intelligent functionality.

For example, to verify users and devices organizations must validate all endpoints. This includes all the apps and devices that employees use to get work done, regardless of whether the devices are owned by the organization or by the individual. That also extends to contractors, partners and guest devices.

To make this happen, the right endpoint security solution should:

  • Stop actions from compromised apps and files
  • Identify a malicious actor’s activities in a security event
  • Isolate the bad actor’s network access while capturing forensic access information

Automation and embedded intelligence reduces the complexity of these functions.

Another example is network security. It’s critical to rapidly identify web-based threats and malicious actors before they move too deep into the network. To act fast, a solution should intelligently detect early phases of web-based attacks, extract the malware and safely detonate it—in real time.

Similarly, an intelligent ZTA should help federal agencies address overall security system hygiene. For example, regular maintenance and vulnerability scans of security information and event management systems (SIEMs) is an onerous task. By integrating threat intelligence services directly into infrastructure systems such as SIEMs, organizations gain real-time insights into vulnerabilities and risks.

An Intelligence-Backed Platform Approach for Zero Trust

Verifying users and devices must also happen within the infrastructure. A platform-based approach can enhance security across clouds and security operations systems such as SIEMs.

For example, an intelligent foundational solution offers assurances of compliance and enforcement by providing a framework for visibility across cloud environments. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting.

The right platform should provide workload microsegmentation using cloud-native security capabilities, a key element in Zero Trust. When this process is automated, agencies can seamlessly provision, secure, and monitor multiple cloud environments to protect applications and micro-services.

At the same time, federal agencies should leverage a cloud-based SIEM platform that intelligently and automatically delivers centralized security. This solution bolsters a Zero Trust architecture, for example, by empowering teams with proactive alert management, analysis and reporting.

The Need to Measure Effectiveness

Ultimately, federal agencies must validate that their cyber security efforts are effective. The same applies to Zero Trust implementations. Security validation:

  • Measures and improves cyber-defensive effectiveness with detailed evidence
  • Verifies the effectiveness of workload segmentation
  • Guards against security regression with continuous testing
  • Measures the performance of security incident handling

Organizations should seek an overarching, unifying solution that is built to demonstrate the effectiveness of all their cyber security investments. It should provide evidential data that answers questions such as: Are my security technology layers configured correctly? Is my SIEM collecting all the data sources it needs for malicious activity alerts? Will the latest security attack affect our organization?

What gets measured gets improved. A security validation platform ensures that organizations are not only proving cyber security effectiveness, but also optimizing security and efficiencies.

The Bottom Line

Federal agencies may be at different points in their Zero Trust journey. Maybe they just implemented MFA and are ready to address cloud security, or they’ve implemented a cloud-based SIEM. No matter whether an agency is just starting or delving deeper into systems and infrastructure, the right partner can help eliminate unnecessary complexity.

FireEye realizes that Zero Trust isn’t a one-size-fits-all approach. Our expertise and intelligent solutions can be adapted to meet an organization’s most pressing security needs, and get them on the path toward minimized exposure and increased security.