Executive Order Mandates Agencies Must Implement Zero Trust

An Executive Order issued by President Biden on May 12 aims to make significant strides in minimizing damaging cyberattacks such as those recently perpetrated against Colonial Pipeline and SolarWinds. The order notes that the U.S. faces “persistent and increasingly sophisticated malicious cyber campaigns” that ultimately threaten the nation’s security and privacy. Last week’s images of empty gas pumps across the Southeast are evidence of just how quickly a cyberattack can impact everyday lives.

While the order is far-ranging—addressing everything from information sharing to supply chain security—this blog focuses on the mandate to implement a Zero Trust (ZT) architecture, found in Section 3. Modernizing Federal Government Cybersecurity. It says that within 60 days each agency must develop a plan to implement a Zero Trust architecture, aligned with guidance from the National Institute of Standards and Technology (NIST). This also applies to cloud computing environments.

The clock is now ticking toward a July deadline. While the industry has increasingly rallied around the concept of Zero Trust over the past two years, many organizations have yet to implement a strategy. There are various valid reasons why. Common ones we hear when talking to our government and enterprise customers include:

• We’ve sunk a lot of money into our existing security stack and don’t want to lose the investment.
• Our IT environment is complicated and we’ve got apps scattered across the data center and the cloud.
• We’ve still got legacy mainframe apps that won’t work with modern Zero Trust technology.
• And, most often: we don’t know where to begin!

The Executive Order makes the journey toward Zero Trust inevitable and imminent, so the time to figure out how to get there is now.

To help make this complicated topic more digestible, we turned to Zero Trust expert Dr. Chase Cunningham and asked him to describe the journey in layman’s terms. His well-thought-out response follows.

Making Zero Trust Easier - Dr. Chase Cunningham

The common point of contention for any organization, whether public or private, which seeks to enable the strategy of Zero Trust is, “this seems too hard.” Or, “we don’t know where to start.” To be honest, these are pretty fair things to state because restructuring your entire security infrastructure may seem a daunting task. But that’s not necessarily the case, especially with the technology that exists today. The new Executive Order makes it an imperative for government agencies to make fast progress on their journey. I believe it’s possible to enable a Zero Trust approach and do so with a minimally painful implementation. Let’s explore this.

John Kindervag, the “Godfather” of Zero Trust—its creator if you will, has long espoused the virtues of using a Zero Trust approach to answer what he called “Kipling Questions” … the who, what, when, why, where and how of Zero Trust. These questions come from a Kipling poem, so let’s look at a portion of that poem for a second.

I Keep Six Honest Men Serving, Rudyard Kipling

I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
I send them over land and sea,
I send them east and west;
But after they have worked for me,
I give them all a rest.

Now if you read what Kipling wrote here—and yes, it was more than 100 years ago—his main point is valid. He gained extensive insight into almost everything by focusing on those six points. If he knows the answer to all of them, he can “give them all a rest.” Essentially, he believes he can make an informed decision once he has those six things covered.

If we step back, we can see that Kipling’s questions and Kindervag’s points make a lot of sense. Answering those questions is what we need to do in any cybersecurity context. Simple, right?

When you strip all the technology stuff away and look at things in this light, you can see that if you can accurately, intelligently and continuously answer those questions at scale, then you can make an informed decision about anything cyber-related and apply a control to that decision point. Problem solved. This applies in the case of on-premises, remote users, home users, branch offices, cloud, whatever. If you can validate that your Kipling questions are answered, your ZT policy can be applied effectively.

Ok, great. But what about the technology that is needed to do that and what about the many moving parts to actually employ that poetic strategy?

Good questions. Let’s explore the specifics of that a bit further. In the realm of cybersecurity, our Kipling questions should be the following:

• Who: What user should be accessing an asset, resource or data item?
• What: Which application is being used to access a resource?
• When: At what specific time is the resource being accessed and does that make logical sense?
• Where: Is the connection destination and where did it physically or logically come from?
• Why: Does the request make contextual sense and it is valid as validated by telemetry?
• How: What device is in the mix here and does that device fit into the contextual and logical request picture?

Zero Trust is an amalgamation of these above points, intelligently coordinated in an automated fashion to ultimately apply a control – or to not apply one. And you cannot do that in a singular, non-technically-enabled fashion. In other words, you cannot answer those questions at speed and make an intelligent decision without a technology that enables that process. This is where a platform approach comes into the mix.

Technology here becomes part of the poetic approach as you can more effectively address those Kipling questions with a solution that correlates and integrates data points, such as:

• User-ID: Identifies users and enables you to control who accesses a resource in policy. Allow access only to individuals, groups and devices that have legitimate business reasons to access a resource.
• What application is used to access the resource? Use an App-ID or tag, which identifies applications regardless of port, protocol or evasive tactics so that you allow only the right applications on your network.
• When do users access the resource? Contextual data lets you know if a request is valid based on the user’s needs. This enable you to simply apply a policy around apps so that users can only access them when certain conditions apply.
• Where is the resource located? If your user is in Dallas, why are they connecting from Moscow? It’s not a logical connection, so stop it. You can start by approaching the question from default/deny for any locality where you don’t have users and work your way backward from there.
• Why is data accessed? What is the data’s value if stolen or ransomed? If this is a crown jewel type of resource, then apply controls stringently. If not, you can be more permissive and dynamic but still maintain control.
• How should you allow access to the resource? Should this only come from an internal asset, then nothing else should be allowed. It’s the cornerstone of a least-privileged access policy under Zero Trust.

The Kipling questions help simplify the points around enabling ZT and make it easier to understand – and implement. If you focus on answering those questions in real time and make intelligent decisions about the control you apply, your security posture improves and you are empowering Zero Trust in your infrastructure. Zero Trust doesn’t have to be impossible, even under an imposed timeline. If approached correctly, this IT-heavy, techy thing can be poetry in motion.

Additional resources:

• Free e-copy: Zero Trust: An Enterprise Guide, by Jason Garbis
• e-Book: Zero Trust Network Access: Everything You Need to Know
• Analyst report: A Practical Guide to a Zero Trust Implementation from Forrester