ST?
think it’s been a catalyst for people to think about how that strong network perimeter isn’t what they thought it was,” one said. New or old, however, establishing what’s normal in a network is essential to a zero trust approach. Location data has changed dramatically in recent months, but multiple officials said defining a baseline is difficult even
without maximum telework.
“What is normal will change over
time,” one said. “Certain changes, while deemed anomalous, could be quite normal in a network. And so this whole idea of understanding patterns and normalcy and looking for anomalies becomes an extremely challenging problem.”
Thanks to the Continuous Diag- nostics and Mitigation Program, the 2015 governmentwide “cyber sprint” and recent efforts by the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies now have much better data on their users, devices and network traffic than was the case just a few years ago. But understanding that data and using it to create a baseline are other matters entirely.
“People forget it’s not always a user accessing the data system,” one official said. “The systems also are sharing data all the time.” Another pointed to the surge in robotic pro- cess automation initiatives and said AI-powered automation can conclude: “‘Hey, this data and this data really work well together.’ So we now have automation creating these streams in the background, which complicates things a little bit further.”
most important thing. Now you look at the data and the application entry and the protection of confidentiality as primary objectives.” That doesn’t mean relaxing network access restrictions, “but it certainly
changes the dynamics.”
Participants also suggested various
labels to better describe the approach. “‘Zero trust’ was a misnomer to begin with,” one said, “because if you don’t trust anyone, nobody will get anything done.” A more accurate term would be “context-based trust.”
“Variable trust” may be a better term, another said, “in that I trust the devices that I issued and I’m aware of more fully than I trust devices that are strangers to me — and the same thing with location- based entry points.”
Others emphasized the idea of trust decay as an essential ingredient for real-world implementation. “You’ve established a trust score — fantastic,” one said. “But how long does that trust score stay persistent?” Much like a VPN might disconnect a user after some period of inactivity, a trust score could
depend on the time since a “normal” network action was observed, and users must maintain “a certain score in order to access
this data due to its criticality.” There are some well-established reference points, several speakers noted. They recommended ACT-IAC’s 2019 white paper on the topic and the National Institute of Standards and Technology’s second draft of Special Publication 800-207 on zero trust architecture, which was released in February. “That’s always kind of been my starting point for anything that feels a little buzzwordy,” one speaker said. “I see if I can map it back to a canonical
NIST source document.”
One participant suggested that zero
trust also reflects the changing role of IT organizations in government. As IT increasingly works with the business owners on mission objectives instead of simply supporting systems, “you’re going to see an evolution from infrastructure focus to product focus or, in some cases, the application focus. I think that zero trust layers into that.”
The first challenge:
Knowing what’s normal
“The new normal” has become an overused term since COVID-19 upended
workplaces, but several participants said the surge in telework was indeed changing security conversations. “I
July 2020 FCW.COM 37
U