US Federal Agencies are one of the perennial targets of advanced persistent threats. In May 2021, shortly after the SolarWinds, Colonial Pipeline, and Microsoft Exchange hack, the White House issued an Executive Order to strengthen federal government computer systems and networks via Zero Trust architecture among other things. In September 2021, the administration released draft Zero Trust Architecture (ZTA) guidelines. On January 26, 2022, the Office of Management and Budget released a federal strategy designed to move the federal government toward a “zero trust” approach to cybersecurity. Agencies have until the end of September 2024 to meet five zero trust goals: identity, devices, networks, applications, and data.
Zero trust is a set of cybersecurity principles used by stakeholders to plan and implement an enterprise architecture that authenticates and verifies all systems, users, and devices.
A Zero Trust implementation strategy without a complete understanding of the fundamental components of Zero Trust is bound to fail. As defined by NIST SP 800-207: Zero Trust Architecture, the three core logical components of the ZTA are the Policy Decision Point (PDP), the Policy Information Points (PIPs), and the Policy Enforcement Point (PEP). These components may be operated as an on-premises service or through a cloud-based service.
As shown above, the subject enters through the Policy Enforcement Points and is evaluated by the Policy Decision Point.
If the subject is trusted, it is allowed access to the enterprise resources, monitored continuously using the control plane, and subjected to the control systems used to detect malicious actors.
The Policy Enforcement Point is the guard for trust zones that host one or more enterprise resources. It handles enabling, monitoring, and eventually terminating connections between subjects and resources. The PEP communicates with the PA to forward requests and/or receive policy updates. This is a single logical component in ZTA but may be broken into two different components: the client (e.g., agent on a laptop) and resource side (e.g., gateway component in front of resource that controls access) or a single portal component that acts as a gatekeeper for communication paths.
A Policy Decision Point combines a Policy Engine and a Policy Administrator. A PDP gathers the information necessary to verify subjects and their endpoint and supply information needed to approve or deny access requests that Policy Information Points evaluate. PDPs filters and responds to access requests and periodically verify the subjects, resources, and endpoints given.
The Policy Engine is the element that handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The PE calculates an identity's trust scores/confidence levels and based on enterprise policy and information, executes a correct decision based on the information gathered. The PE executes its trust algorithm to evaluate each resource request received promptly and efficiently.
The Policy Administrator executes the PE's decisions by sending commands to the PEP to establish and terminate connections between the subject and the resource. It generates any session-specific authentication and authorization token, or credential used by the subject to access the enterprise resource.
Policy Information Points consist of Identity, Credential and Access Management (ICAM), Endpoint Detection and Response(EDR), Security Analytics, and Data Security systems.
Policy Information Points (PIPs) take information from PDPs and continuously evaluate access to resources. PIPS also processes and approves or denies access requests sent by PDPs.
ICAM include the strategy, technology, and governance for creating, storing, and managing subjects (enterprise users and their endpoints), accounts, and identity records and monitoring their access to enterprise resources. This will include identity management, access and credential management, federated identity, and identity governance.
EDR/EPP encompasses the strategy, technology, and governance to protect endpoints and their data from threats and attacks, as well as protect the enterprise from threats from managed and unmanaged devices. Some of these devices might have ZTA baked into them, while some may not. EDR/EPP will include:
Security Analytics encompasses all the IT enterprise's threat intelligence feeds and traffic/activity monitoring. It gathers security and behavior analytics about the current state of enterprise assets and continuously monitors those assets to actively respond to threats or malicious activity. This information will feed the policy engine to help make dynamic access decisions. It will include SIEM, network monitoring, activity logging, traffic inspection, endpoint monitoring, threat intelligence, user behavior, correlation and analytics, SOAR, and security validation.
Data security includes the policies that an enterprise needs to secure access to enterprise resources and the means to protect data at rest and in transit. Data security will include data confidentiality, integrity, availability, and access policies.
There are several ways that an enterprise can enact a ZTA for workflows. Each of these approaches is characterized by different components used and by different sources of policy rules. Each approach to ZT considers all of the tenets, but one or two may be emphasized more than others. A full ZT solution will include elements of all three approaches. The three approaches include enhanced identity governance–driven, logical micro-segmentation, and network-based segmentation.
Some approaches are better suited to some use cases than others. An organization looking to develop a ZTA for the enterprise may find it advantageous to use one approach over another approaches. While other approaches may work, they may prove more difficult to implement and may require more fundamental changes to how the enterprise currently conducts business.
We see the Zero Trust big picture and understand the scale of change required –from networks and identity to changing the organization itself to work more adaptively. We understand the 'why' of Zero Trust and the 'how'.
Our independence ensures our credibility as trusted advisors. It enables us to provide clients unbiased advice on the pitfalls and challenges in implementing Zero Trust while still allowing us to bring the right technical skills to the table.
Our assessment and planning tool supports clients in choosing their Zero Trust journey, helping them to make the right decisions along the way and flex the program to accommodate any changes during delivery.
We are passionate about partnering with clients on Zero Trust to work together to build innovative solutions and tackle the big challenges head-on.