"Never Trust, Always Verify"
Federal Migration to ZTA and Endpoint Security
After several high-profile cyberattacks on the U.S. government in recent years, the need to upgrade and increase resiliency in existing cybersecurity systems has become critical to national security.
The federal government’s latest guidance aimed at improving the nation’s cybersecurity demonstrates a commendable shift in priorities—moving away from traditional perimeter defense and firewalls and instead embracing “zero trust architecture” (ZTA).
ZTA is often characterized as an alternative to legacy “perimeter-based" cybersecurity. For decades, enterprise cybersecurity efforts have revolved around the concept of “implicit trust.”
Under this model, networks and systems were designed to defend against intrusions at a well-defined network perimeter.
Imagine this perimeter as a medieval castle.
The castle is surrounded by a moat and 40-foot-high stone walls. Access is granted only via a single gate, where guards scrutinize and verify the identity of each visitor.
However, once admitted, one can move about freely. Some areas inside the castle are locked and guarded, but most are not. There is little scrutiny once someone is within the walls because their very presence means they have been vetted. They are implicitly trusted.
But what if someone is not whom they claim to be? What if they are an assassin disguised as a guard? What if they are secretly working for a rival kingdom and intent on theft and sabotage?
In a perimeter-based environment, those bad actors—once they gain initial access—can potentially operate in an unconstrained way within the walls.
In 2010, John Kindervag described how cybersecurity efforts that emphasize perimeter defenses—similar to the countermeasures applied in our medieval castle—expose organizations to a range of external and insider threats. In the process, he articulated the concept of ZTA:
Zero trust architecture (ZTA): No activity, regardless of whether it originated inside the network or outside of its perimeter, should be assumed to be trustworthy.
In terms of the medieval castle, this would mean increasing security inside the walls, such as by locking and guarding more doors and requiring visitors to repeatedly verify their identity as they move about the castle grounds.
The urgency to create similar checks on movement in modern information technology environments is increasing as many enterprises become “perimeter-less.”
Organizations are increasingly migrating to commercial cloud environments and adopting hybrid infrastructure. Workforces are increasingly mobile, an ongoing trend rapidly accelerated by the Covid-19 pandemic.
In this environment, federal government efforts to verify which users and which devices are accessing agency resources are increasingly complex. But, in light of global cyber threats, they are critical. Overcoming barriers to successful implementation for zero trust is more urgent than ever.
BARRIERS TO SUCCESS
Shifting from perimeter defense to ZTA is not as easy as flipping a switch; it is a complex undertaking. Further, it involves more than procuring new hardware and software. Making such a shift will require reform, in particular in the following six areas:
- Budget and acquisition
- Tech debt
- Lack of urgency and behavioral friction
- Unclear policies
- Leadership and accountability
- Perception issues
1. BUDGET & ACQUISITION
Cyber threats to the U.S. government will only continue to grow over the next few years. As a result, the federal government’s new zero trust strategy will have to be bolstered by funding to enable effective cyber defenses. Executive Order 14028 requires changes that will need acquisition and budgetary support and calls for the Office of Management and Budget (OMB) to review the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement to effect those changes.
To cover the costs of ZTA, the FY 2023 budget provides an additional $486 million to the Cybersecurity and Infrastructure Security Agency (CISA), bringing its total funding to $2.5 billion, a portion of which will support the transition to ZTA. Achieving full-scale federal cybersecurity and implementing endpoint detection and response (EDR) will require the federal government to make ZTA both a budget priority and a long-term project.
Beyond the changes outlined above, the requirements outlined in the latest White House guidance on ZTA (Executive Order 14028) introduce significant changes in the software acquisition space. These changes ask service providers to increase data collection and preservation on cyber incidents and call for reporting cyber incidents or critical vulnerabilities directly to agencies. Such data-sharing requirements are often unpopular with industry, as they may reveal vulnerabilities companies would prefer to keep out of public view. The government needs to anticipate these obstacles and create policies and legislation to further mitigate these concerns and incentivize sharing.
2. TECH DEBT
Departments and agencies often find it challenging to secure funding and authorization for new large-scale information technology (IT) modernization efforts. It is comparatively easier to obtain funding for existing systems. This often motivates agencies to focus on operating and maintaining existing systems rather than pursuing new capital investments. Over time, these forces have contributed to a large inventory of outdated systems that may leave organizations vulnerable to compromise.
Efforts to manage legacy systems can present a dilemma between user experience and security. Effective risk mitigation while migrating to ZTA may require federal agencies to consider temporarily degrading user experience in the broader interest of security.
Users must understand that measures to wall off legacy systems from the rest of the enterprise are a necessary, temporary inconvenience to maintain the broader integrity of the organization’s IT systems.
- Congress should work to expand and streamline modernization and working capital funds that lead to the compounding of tech debt. For example, initiatives such as the Technology Modernization Fund (TMF) and IT working capital funds, both of which were enacted in 2017, have created new authorities and funding vehicles for agencies to accelerate their technology modernization efforts. Additionally, Congress should consider establishing an "agility fund," where agencies with current needs are able to quickly receive support funds if issues arise during their ZTA migration.
3. LACK OF URGENCY & BEHAVIORAL FRICTION
While many experts believe that agency leaders recognize that moving to ZTA is important, they have also indicated that the conceptual acceptance of ZTA has not translated into a commensurate sense of urgency.
A lack of urgency could lead to minimal exerted effort to meet the basic requirements of compliance, when what is needed are investments in comprehensive plans.
Relatedly, behavioral friction can further thwart progress. Security imperatives should outweigh ease of use despite workforce demands for frictionless access.
- To increase urgency and minimize behavioral friction, federal government leaders should focus on ways of demonstrating the mission value of ZTA migration as well as enhancing transparency of ZTA implementation progress.
- Leaders should commit to documenting and sharing lessons learned with other agency leads and Congress during the ZTA journey.
4. UNCLEAR POLICIES
Misalignment between agency policies and White House guidance can also cause confusion and unclear paths to ZTA implementation.
For example, the budget process disincentivizes large-scale, long-term changes. Timelines are a good forcing mechanism, but short timelines with limited guidance could create budget issues for agencies that are having a difficult time prioritizing efforts in this space.
Coordinating offices—especially the Office of the National Cyber Director (ONCD)—are best placed to identify these disconnects and issue clarifying guidance.
- The Office of the National Cyber Director (ONCD) should take the lead in prioritizing the alignment of policies both across the U.S. government and within each department and agency, as misaligned policies at any level could delay ZTA implementation.
- Though agencies and departments are expected to all be moving in the same general direction, they should set priorities that account for their current cybersecurity posture and agency mission and culture.
5. LEADERSHIP & ACCOUNTABILITY
Much of ZTA implementation relies on access to resources and high-level buy-in from agency leadership. Looking across the government, experts reported confusion about who is leading strategic coordination.
OMB has the most clearly defined role, but CISA, the National Security Agency (NSA), and ONCD all provide guidance and play a larger role in actively managing progress across federal networks.
Without clearly delineated roles, it can be difficult for cabinet secretaries and department heads to know whose guidelines should take priority.
At the agency or department level, an added barrier is identifying which individual or office should be in charge of monitoring the ZTA migration progress.
Finally, beyond any confusion about who is in charge, there are questions about what these tasked individuals or offices are being held accountable for. The federal guidance is intentionally vague to provide flexibility to the agencies and departments on their ZTA journeys, but that also means there are no standard metrics to assess progress. A lack of clear expectations and a faltering sense of urgency is a recipe for complacency.
- ONCD should lead the development of ongoing strategies for moving toward ZTA and ensure coherence in its implementation, including overseeing budgets for ZTA. OMB has leverage to ensure that appropriate action is being taken, but ONCD should inform those decisions, analyze and assess progress, bring coherence to relevant budgets across departments and agencies, drive decisions, and deconflict resource demands. And CISA, which is already situated as the leader in the civilian federal ZTA journey, can be given clearer authorities to better aid its ability to surge support to other agencies that are migrating to ZTA. Congress should also conduct a formal review of OMB and ONCD efforts to ensure the agencies are properly coordinating and making necessary progress. Within Congress, the Homeland Security Committees are best placed to conduct centralized oversight.
- Deputy secretaries should be designated as leads for ZTA implementation; however, agency heads are ultimately responsible for cybersecurity. The deputy secretary level is well placed to manage the internal processes necessary for the transition, as well as to remove roadblocks to implementation. ONCD should also create metrics to measure ZTA implementation and interagency reporting accountability for ZTA should be at the deputy secretary level.
6. PERCEPTION ISSUES
Experts have noted that ZTA has a perception issue. The term itself has been around for some time, and to varying degrees, ZTA can still be seen as an overwhelming, costly, or time-intensive marketing gimmick.
Fortunately, much of the federal government, particularly national security agencies and departments, have been in the practice of adopting technologies and processes that, while currently insufficient, are foundational and compatible with zero trust frameworks.
- To further mitigate perception issues, it is important to demonstrate the mission value of migration to ZTA. Leaders should emphasize business and mission advantages to drive digital transformation. Doing so will incentivize key actors by providing a sense of direct benefits to their respective organizations.
NEAR-TERM PRIORITIES FOR ZTA IMPLEMENTATION
CSIS researchers identified the following near-term priorities for government efforts to implement ZTA:
1. Asset Inventory
Prioritize high-risk and high-exposure assets, particularly new devices joining the network through Bring Your Own Devices (BYOD) policies.
2. Control Access to Data
Make sure multifactor authentication (MFA) policies are up-to-date, apply MFA multiple times during any single session, and add access controls around the most sensitive data.
3. Assess Security Protocols
Have policies governing who has access to what data and when, and clearly define processes to ensure compliance.
4. Network Segmentation
Create smaller, more manageable protect surfaces by dividing a network into subnetworks.
5. Sustain & Streamline Resourcing Efforts
Establish consistent budget line items for long-term refresh of software and hardware and replace legacy systems.
6. Identify & Prioritize Clear & Easy Wins
Prioritize efforts that clearly benefit the workforce and/or can be easily accomplished to maximize buy-in and commitment for multi-year ZTA plans.
7. Centralize Visibility & Orchestration
Implement security orchestration to connect different technologies and bridge visibility gaps and automate repetitive tasks required for authenticating users at multiple access levels.
LONG-TERM ENABLERS FOR ZTA IMPLEMENTATION
ZTA and endpoint security are necessary prerequisites for overall security; however, the federal government needs to have long-term plans for consistent funding and a properly skilled, fully staffed workforce.
So far, funding processes have been a hindrance rather than an advantage in adopting new strategies for securing critical infrastructure. The current budgeting process and implementation strategies are not yet aligned with the government’s commitment to instituting a new ZTA strategy. Government budgeting bodies will need to be realistic about the expenses associated with these initiatives and the types of funding each agency will require while eliminating non-integrated and redundant solutions.
Creating a technically competent workforce is also helpful in effectively implementing ZTA across the federal government since this model requires a cybersecurity mindset.
The progression from a high castle perimeter to a segmented, guarded ZTA is a continuum, involving many small measures that each contribute to a resilient, protected system.
For the government to succeed in this transition, it must recognize that ZTA is more about mindset and culture than it is about a suite of technologies. The government should act with urgency to adopt this mindset and specific plans for implementation, even while emphasizing that implementation will be an ongoing process over several years.
This report was made possible by the generous support of Tanium.
Deputy Director and Senior Fellow, International Security Program
Senior Vice President and Director, Strategic Technologies Program
Senior Adviser, Homeland Security, International Security Program
Associate Fellow, Defense-Industrial Initiatives Group
Intelligence Fellow, International Security Program
Associate Director and Associate Fellow, International Security Program
Research Assistant, International Security Program
Intern, International Security Program
- Visuals and production by Sarah Grace, iDeas Lab
- Development and design assistance by Christina Hamm and Mariel de la Garza, iDeas Lab
- Adobe Stock illustrations adapted from Baurka, Heywoody, Rodrigo, Maksym Yemelyanov, Matthieu, Alexey Brin, Cozine, Whyframeshot, Iryna, and BSD Studio.