FCWPerspectives
40
May 2021 FCW.COM
at light speed that it’s bigger than the network,” one official recalled. “We’re talking about zero trust architectures, not just zero trust networking. Net- working is a very critical subset of the discussion, but it’s really about that architecture.”
To illustrate that broader scope, consider the variables that can feed into a dynamic risk assessment, anoth- er official said. “I used a PIV card ver- sus a username and password. There’s a different risk to those things. Did I come in on a mobile device? Is it a managed mobile device? Am I com- ing from a known network?” The data being accessed can also be an important indicator and so can the individual user’s overall performance or job status. “It’s got to be ongoing authentication. You’ve got to keep checking.”
One official pointed out that there are four main elements of a zero trust architecture. “The first, of course, is ICAM and identity. Next, we need to talk about data,” which includes the data to be protected and the data needed to assess risk and determine trust. Third is “the control fabric or the control plane, and that’s really all
these technologies that we’ve been talking about.”
Finally, the official said, “we get to the fourth piece, which ACT-IAC calls the trust engine. NIST calls it the poli- cy engine. And it’s really about where we are using tools and technologies like machine learning, artificial intel- ligence and even just robotic process automation” to make sense of all the data and grant or restrict access based on dynamic risk assessments.
The concept can extend even fur- ther than that, another official argued. “We’re talking about zero trust opera- tionally, which is just fine, but you can look at this zero trust model even in the acquisition process.”
“Zero trust is a model, and the model changes over time,” another agreed. “SolarWinds is a good reality check. Here’s a product a lot of people are using. They trusted it on their net- work. They didn’t think it would be exploited. It was just a given, like we trust our inside employees.”
Ideally, zero trust should extend throughout the supply chain, that offi- cial added, but even a limited imple- mentation would have helped minimize the impact of the SolarWinds breach
by detecting “the lateral movement and the escalation of privilege.”
Whether the threat is ransomware, persistent nation-state attacks or “any- thing that’s self-propagating,” another participant said, zero trust is “incred- ibly effective in reducing the impact of all those types of attacks. So that makes it really, really key.”
Data, data and more data
Such a holistic monitoring and auto- mated risk management effort requires a tremendous amount of data, the group agreed.
“There are datasets that you’re going to want to bring in that haven’t traditionally been there,” one offi- cial said. Physical access logs and data that usually lives with human resources are important. “Are we tied into the travel system? Are we tied into the performance system? Are we tied into onboarding and off-board- ing? When we start to paint a picture about the risk and when understand- ing risk is quantified, we have to start thinking about these data sources” that don’t normally feed into a secu- rity information and event manage- ment system.