Zero Trust Security: A Dynamic Approach for Government Agencies
There has been an awful lot written about Zero Trust, what it is, what it isn’t, and why it’s so hard to just “turn on”. Most of these articles focus on identity and authorization and the fact that implicit trust is no longer acceptable. This is all important and true, but ultimately we need to focus on the dynamic nature of the typical business and how Zero Trust responds to this with AI and ML, combined with automation and the orchestration.
Dynamic Agencies Need Dynamic Security
Today more than ever, government enterprises are complex and changing. Users move frequently depending on their role and situation, and work is no longer defined as a physical place but where the worker is. Devices can be of myriad types, and they can move as often as workers move, leveraging various technologies and wireless networks that IT cannot control or secure. Networks themselves no longer have perimeters, and by bringing work to users, they have created an ever-changing network (and therefore threat) landscape. Even workloads that have stayed in one place for years in highly protected data centers can and will also move from cloud to cloud to meet business needs.
Simply put, there is nothing static about an agency – so why should security be?
Self-awareness and self-healing
The Zero Trust Maturity Model created by the DHS Cyber and Infrastructure Security Agency (CISA) was released in the summer of 2021 and provided a streamlined way for government agencies to consider providing Zero Trust with a level of maturity to help understand where the agencies were. . The model, or Foundation of Zero Trust, includes 5 pillars; Identity, device, network, application/workload, and data, all powered by visibility, analytics, automation, orchestration, and governance. The concept is that over time, the security capabilities of each pillar will improve according to the level of maturity described in the document, ultimately delivering a Zero Trust architecture.
The key to the Zero Trust Maturity Model is in the maturity level descriptions, where the true value of Zero Trust is clearly articulated. To reach maturity, the Zero Trust security model must be intelligent in its understanding of the current landscape and dynamic in its reaction to events impacting the security posture of the real-time environment. In other words, the Zero Trust model should be self-aware and self-healing. Let’s take a few examples:
- Your website has been hacked as part of a Halloween prank. Using analytics, the website becomes aware of the change, knows it’s not normal, and is automatically restored to the original view in seconds without human intervention.
- An internal application is no longer compliant with the security policy due to an error during a normal upgrade. As part of your regular automated assessments, the deviation is detected, recorded and updated to return to compliance.
- For some unknown reason, an IP security camera installed in a remote building is sending traffic to multiple devices on the network. This behavior is detected as abnormal and the device is instantly quarantined and an alert is sent to the Security Operations Center (SOC) for review.
Self-awareness and self-healing are so simple to understand but not so easy to conceive. In fact, achieving this automation requires the use of a variety of precisely orchestrated and timely technologies and capabilities:
- Infrastructure instrumentationand telemetry from sensors to provide real-time visibility into what’s going on.
- Analytic through many tools to decipher what is normal and good versus abnormal and on which it is necessary to act.
- Artificial intelligence and political drivers make decisions about what to do to remedy the situation in the most effective and simple way.
- Configuration and automation tools to actually act on systems and deal with unwanted behavior in real time while logging and alerting the human monitor.
Tools to build Zero Trust maturity
The industry focuses on self-awareness and self-healing. Legacy security worked on combating known threats and preventing those threats from affecting systems. We are currently working on 0-day threats, which are inherently unknown to systems and therefore have no known preventions.
Using visibility tools and analytics, anomalies can be detected that may be symptoms of malware or malicious behavior. By working backwards from the symptom, the root cause can be deciphered and thus treated. Endpoint detection and response (EDR) tools provide this capability on endpoints, while extended detection and response (XDR) tools will take advantage of endpoint and network system telemetry or cloud to discover anomalies and drive a remediation process. These tools have built-in intelligence via AI systems that help provide the response which is executed by a configuration and orchestration system which may/may not be integrated. These are just two examples of how the industry seeks to provide a self-assessment and self-healing architecture.
As you move toward a mature Zero Trust architecture, look for tools and technologies that can provide the telemetry, automation, and intelligence needed to address previously unrecognized anomalies in your systems.
To learn more about how VMware helps government agencies better protect their environments, see: