As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Bren Briggs, the VP of DevSecOps at Hypergiant, shares insights on what Zero Trust frameworks should look like moving forward.
The federal government must adopt the Zero Trust information security framework. This is both a new legal mandate as of January 2022 and a fundamental shift in our information security model that matches the types of environments we are building and deploying today. However, it will be difficult for the government to meet its goal of full implementation by 2024. Furthermore, unless significant changes are made, the government will likely fail to adopt Zero Trust frameworks altogether, leaving agencies with a patchwork of policies and controls not much different from what we see today.
Zero Trust as a framework emerged sometime around the late 90s and early 00s but became well known when Google began implementing their BeyondCorp model. In Zero Trust, the traditional model of a network enclave with a single ingress point is replaced with an identity and inventory-driven, perimeter-less authentication and authorization model where trust between devices or services is not granted implicitly. Instead, every request for network resources, from a call to a webpage to SSH connections, must be authenticated and authorized individually. This typically involves a sophisticated infrastructure composed of a robust inventory and asset tracking system, critical public infrastructure, and access proxy coupled with an authorization mechanism and rules engine.
This architecture heavily favors public cloud deployments, like AWS, which are challenging to integrate into the traditional enclave model. In fact, the “zero trust” model and “cloud-native” philosophy are overlapping and complementary. Unfortunately, there are countless offices and on-premise deployments in the new Zero Trust mandate for which there will be no easy or straightforward migration path.
Google’s published research provides a wealth of information on the realities of building and migrating to such a model for a large enterprise. Suppose the federal government wishes to implement Zero Trust frameworks. In that case, they have few organizations whose size, budget, and security requirements closely match their own and even fewer who can boast a mature Zero Trust implementation. However, the US government faces additional challenges in implementing, including low wages and recruitment challenges, changing political winds, and the often-capricious nature of federal funding.
Historically, the federal government excels at a few things which can give them an advantage here:
- A large bureaucracy can help distribute and implement changes
- They excel at data collection and retention, which helps with inventorying of devices and users
- Public Key Infrastructure (PKI) is already baked into the entire federal IT infrastructure
- Role-based access control (RBAC) is already baked into the infrastructure and culture
Unfortunately, the one thing the government is best at is potentially the thing that will hinder them the most: bureaucracy. Compared to private sector enterprises of similar size, the federal government moves at a snail’s pace. What took Google the better part of a decade to achieve could take the government decades. Much has to change if they hope to meet this very aggressive 2024 deadline for compliance.
The two significant elements that will drive the success of this initiative can be gleaned from Google’s published research: providing the Infrastructure as a Service and a slow, disciplined approach to migration. Federal agencies can only meet their compliance requirements by focusing on what’s unique to organizations. This approach is an alternative to doing “undifferentiated” work and solving the same problems separately by re-implementing standard components like inventory and device management or an identity proxy.
To meet this aggressive 24-month deadline, the Cybersecurity and Infrastructure Security Agency (CISA) must provide Zero Trust Components as a Service to federal agencies and the entire Defense Industrial Base to prevent duplication of work. Additionally, DoD-internal groups such as PlatformOne should be leveraged to provide new tools and services which will inevitably be required. Given the long tail of complex and legacy systems that will prove difficult to integrate, CISA must also proactively engage agencies with consulting services and training to ensure a successful implementation.
Historically, the government does not have the best track record of significant changes to IT infrastructure. Rushed projects with sweeping changes are a recipe for failure in any enterprise, but especially for a bureaucracy as large as the federal government. One only has to look to the most recent delayed rollout of the Cybersecurity Maturity Model Certification (CMMC) as an example. To succeed in their Zero Trust initiative, the government must do the following:
- Extend the timeline from 24 months to a more staged deployment over a more extended period.
- Build and offer Zero Trust components and tools as a Service to agencies and the Defense Industrial Base (DIB).
- Engage early and often with agency leaders to develop a plan and keep them on track.
- Provide education and training for practitioners tasked with developing and implementing Zero Trust in federal systems.
- Understand, accept, and communicate that this must be a gradual, phased approach, and even the best organizations in the world take years to migrate/
As an airman, a civilian contractor, and now a consultant to federal agencies, I’ve seen changes like this firsthand throughout my entire career. Coaxing the machinery of bureaucracy into movement and achieving buy-in at all levels of government is a monumental task that’s fraught with risk. The Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), and Office of Management and Budget (OMB) have taken the first steps in preparing agencies for Zero Trust. However, this is only the beginning, and success is not guaranteed. By following the steps outlined, leaders can take proactive measures to enhance their security and prepare for future challenges.