Dr Charlotte M. Farmer (CMF), current Director for the Center of Programs and Technology Operations at MITRE, converses with experts on a Zero Trust approach to cybersecurity.

Introduction

Circa 1984–1987, the saying ‘trust, but verify’ became internationally known after Suzanne Massie, an American scholar, taught it to President Ronald Reagan, who used it on several occasions in the context of nuclear disarmament discussions with the Soviet Union. ‘Trust, but verify’, along with derivatives like ‘trust and verify’, eventually shaped many facets of the economy and culture as it was relevant to multiple sectors. Fast forward to 2019, and ‘never trust, always verify’ gains momentum in the context of cybersecurity. Experts in the field sparked a movement centred on the belief that trust is a vulnerability, and security must be designed with a ‘Zero Trust’ strategy. The United States House of Representatives, the National Institute of Standards and Technology, and the National Security Agency recommend that all government agencies adopt Zero Trust in the wake of cyber-attacks including the Solar Winds1 attack that led to data breaches in thousands of organisations around the globe including multiple US Federal agencies. This article highlights relevant aspects of Zero Trust cybersecurity for chiefs of staff and other leaders in enterprise operations.

The article is a transcript of a conversation convened between members of the CyberEdBoard, a community of global cybersecurity senior leaders. The author is Dr Charlotte M. Farmer (CMF), current Director for the Center of Programs and Technology Operations, MITRE, who previously worked across Federal agencies and Fortune 500 Companies. The author convened a conversation with two thought leaders, trusted advisors, and authors in the field of cybersecurity to get to the crux of the Zero Trust framework and elicit guidance for early adopters: Zachery S. Mitcham (ZSM), the EC Council 2018 CISO of the Year; and John Kindervag (JK), a widely known Zero Trust expert.

CMF: Before we start the discussion, please provide background and context of Zero Trust. Help readers understand what adoption of Zero Trust looks like in an organisation.

ZSM: The goal of any viable and effective information security program is to create a ubiquitous culture of security that is pervasive throughout the organisation. Zero Trust considers multiple aspects of the organisation including (but not limited to) workforce, enterprise, and technology.

Workforce aspect.

Empirical evidence indicates that an organisation’s strongest asset, its workforce, can be the weakest link in its information system. Natural tendencies, proclivities, and implicit biases allow for system vulnerabilities. Securing the human begins with rigorous, adaptive training combined with campaigns that emphasize both personal and enterprise implications of security breaches. False negatives and positives result as causation of these human frailties. Securing the human begins with education about the negative effects of lapses in security. Often, the cyber-attacker focuses on the human as the primary target of their attack. It is therefore imperative that security awareness training is mandated for the workforce throughout the organisation. Senior management, from the organisation’s governing authority to the CEO and all throughout the entire chain of command must set the example by providing leadership and being actively engaged with the effort to maintain a culture of security within the enterprise.

Enterprise aspect.

Like Sarbanes-Oxley legislation, cybersecurity legislation will compel corporate boards to have knowledge of what occurs within the organisation’s IT operations. Failure to fully implement zero-trust architecture within our technological infrastructure grid resulted in exposure of weaknesses in supervisory control and data acquisition (SCADA) systems; thereby, placing them at risk of being exploited by future cyber-attacks. It would be wise to prepare for legislation on the horizon which holds corporate boards and C-suite executives personally accountable for security breaches.

State-sponsored and criminal cyber-attackers have exposed system and infrastructure vulnerabilities to unauthorized information system intrusions. Recent supervisory control and data acquisition (SCADA) ransomware attacks on critical infrastructure (e.g., supply chain, food distribution system, Solar Winds, Colonial pipeline, JBS Foods) has heightened situational awareness of American citizens. The US government bears responsibility for defending its citizenry, at all levels, against all enemies foreign and domestic despite whatever the type of attack it may be, cyber, military, pandemic, or directed-energy attacks that are making government employees sick throughout the world.

As such, on 12 May 2021, President Biden issued Executive Order 14028 to Improve National Security in Cyberspace. The executive order establishes a timeline to meet these foundational objectives:

  • Mitigation and prevention of advanced cyberattacks through the adoption of cloud technologies, strengthening asset management methods, and mapping policy enforcement with zero-trust architecture.
  • Increase information sharing between agencies and transparency into cyber incidents by standardising reporting and communication methods at all federal agencies.
  • Create standards for logging techniques, communicating incidents, and remediation techniques between information/operational technology providers and the federal government.
  • Items featured in the executive order expound on the Office of Management and Budget Memorandum M-19-17 relative to enabling the delivery of the mission conveyance via refined credentialing, access control management and identity validation.

In 2020, Okta surveyed companies to learn how organisations around the world think about Zero Trust. North America leads with 60% of respondents embarking on Zero Trust initiatives. Australia and New Zealand are not far behind, with 50% saying they have Zero Trust projects underway, whereas Europe and the Middle East are lagging, with under 18% on board.

Currently no government in the Asia Pacific region has adopted Zero Trust as its cybersecurity agency’s framework. There is no current mandate to use a zero-trust architecture for European Union countries. The U.K.’s National Cyber Security Centre published Zero Trust Architecture Design Principles 1.0 on 23 July 2021, however, no mandate to use Zero Trust appears to be in place. Australia and the United Kingdom have started the process of introducing Zero Trust Architecture guidance. Australia’s Essential Eight maps to elements of the Zero Trust framework. The Essential Eight are recommendations to secure federal entities and improve cybersecurity protections. In July 2021, the Attorney General’s Department announced plans to extend the protective security policy framework (PSPF) to require implementation and audit of all eight areas.

Technology Aspects

Intellectual property, personal identifying information, and other forms of sensitive data are electronically pilfered non-stop. Anything with an internet protocol (IP) address can be hacked (e.g., individuals, enterprises, businesses, organisations, nations) no one, nothing is safe. Zero Trust Architecture helps mitigate the risk of system and data compromise when implemented correctly. Implementation considerations include, but are not limited to the following:

  • NIST 800-207 Compliance. The national standard that governs the Zero Trust Architecture. The primary focus of this architecture is the protection of information system resources such as network accounts, services, and assets.
  • Continuous Diagnostic and Mitigation Program. Continuous monitoring of all devices, applications and services that run on the devices is essential to the understanding of activities that are occurring within the network.
  • Primary Zero Trust tenets and framework. Access control of the user, endpoint and application is the primary focus of zero-trust architecture. Authentication and authorization of users, endpoint, application, and continuous/dynamic monitoring thereof are of paramount importance to safeguarding the integrity of the data being protected.
  • Securing Data, Cloud/Application, and Services. Zero Trust Architecture assists with securing cloud services by diverting primary focus away from the organisation’s perimeter and shifting focus to outsourced collaborative computing services (i.e., the cloud). The enterprise can, therefore, provide security to data and systems irrespective of where it resides and trusts no user, device, or application until it has been fully vetted via authentication and authorization methods. To be effective, Zero Trust Architecture must be embedded pervasively throughout the enterprise’s technological security systems.
  • Securing Endpoints/Devices. Security software must be installed on user devices (e.g., desktop, laptop, tablet, smart phone, etc.) that provides continuous defence against unauthorized use (both on-line and off-line). Due to increased demand for employees to work remotely, several organisations utilize virtual private networks (VPN) to extend the security of the office to remote locations. Given the recent surge in cyberattacks, more and more organisations are moving away from VPN technology to software defined wide area network (SD-WAN) technology. While both VPN and SD-WAN offer high levels of security, SD-WAN provides greater resilience to single points of system failure. Users of VPN are vulnerable to end-point exposure which may vary widely. The SD-WAN is more fault tolerant than the VPN in that it has failover capabilities that the VPN does not. For example, during a network outage, the SD-WAN transfers users’ internet protocol (IP) addresses to viable connections to ensure business continuity. The SD-WAN does not require user interaction to secure their connection. This is a plus when it comes down to Zero Trust Architecture because all points of engagement require vetting. SD-WAN provides security through extension of automated (off-premises) cloud-based services enabling organisations to reduce overhead costs associated with ubiquitous network security. Corporate Boards should ask Chief Information Security Officers for the best possible approach that fits their organisation’s business needs.
  • Securing Network Accounts. Devices no longer work as standalone or in isolation which is the only way that you assure that they are secure. Even then it is no 100% guarantee due to the human element involved. Devices of all kinds are distributed and interconnected locally and over long distances. In the beginning networked computers were designed to be open and collaborative. All that changed in 1988 with the introduction of the Morris Worm. The Morris Worm introduced the idea that computers could be unfavourably affected by an unauthorized user. Trust became a thing of the past and security became the new paradigm. Fast forward to Zero-trust architecture, ‘Trust no one and nothing,’ when it comes to network accounts. This means every user, device and application from the local area network or in the cloud had to earn trust and be given the least privileges necessary to conduct their tasks. Prior to Zero Trust variants could easily bypass security at the edge of the perimeter if given free access. Zero trust requires organisations to assume that all devices, users and applications have been compromised potentially.

Five Steps of the Zero Trust Program

CMF: Thank you for establishing background and context Mr. Mitcham. Mr. Kindervag, what is the crux of the Zero Trust program, the crux of the construct that makes it go?

JK: Well, the crux is to figure out that you can’t protect anything until you understand what you can protect. That’s called a protect surface. I’m on these calls all the time, where everybody is positioning their product. I’ll finally at some point say, ‘What are we trying to protect?’ and then they go, ‘Oh, I haven’t thought about that.’ If I know what to protect, then I can know how to build it. And so, I built a simple five step methodology. I use it every day.

‘The crux is to figure out that you can’t protect anything until you understand what you can protect.’ – John Kindervag

The first step is to find the protect surface, what are you going to protect— that’s called a data element. ‘DAAS’ is easy to remember, the acronym that stands for data, applications, assets or services. Next, you’ll see this represented in the DISA guidance. You take a single data element, you put it into a single protect surface, and then you architect everything around it. We’ve defined the protect surface as a high value asset, say, the OPM data that was stolen.

Okay, now the second step is to understand the transaction flows. How does the system work together? We can’t protect the system until we understand how it works.

The third thing we do is we architect the controls for the protect surface. Too often we start with the architecture before we know what needs protection. Every zero-trust environment needs to be tailor made for the protect surface, so I can’t tell you what controls you need, until I know what I’m protecting.

The fourth step is writing policy. That’s called the Kipling method. And I can use that ‘who, what, when, where, why, and how’ methodology to define a protect surface.

Who should be accessing a resource, this is a layer seven instantiation of say, source IP. And this is where we do all the identity stuff, what, by what application? Should I be allowed to access the resource, because in almost all cases, resources, or app access for your applications, so I can define that all the way up at layer seven instead of just at port and protocol. The third step is who, what, when we need more time delineated rules? We don’t do that very often. But a lot of rules should be turned off if nobody’s using them, you know, consistently.

Where is that located? This again, is you know, because we have certain rules that say, you can go to the cloud, but only in this geographic area, we need to understand that.

Why is data for classification, reading the metadata from the classification? I have written about how we can reinvent that. But, if we do that, we can then bring in that metadata to help inform policy.

And then the how statement is all the separate criteria that we do. You typically run a packet through, you know, a whole bunch of different technologies, you know, IPS and content filtering and sandboxing. What you try to do, the reason I like next generation firewalls, is they collapse all that technology. And you can apply that in a single rule. I have one customer in the US military, they have twenty-two hops to get outbound on the internet, it’s over 100 milliseconds of delay. And, you know, I mean, that’s just unheard of in the corporate world. But in the military world, everybody’s so concerned that they’re just putting more stuff in place. And, that’s not helping, because you end up kind of decrementing the policy just to get the packet moving.

And you want to be very targeted in how you apply that policy, so that Kipling method policy really helps people understand how to write policy, they can read it, and then they can audit it, and they can constantly update it.

And then the fifth step is to monitor and maintain. Take all the telemetry that we’re getting from our controls, analyse it, automate actions against bad things, and then take the learnings we haven’t filtered through those other four steps, so that we can make the system resilient. Taleb in his book, Anti-Fragile, gave me the vocabulary to talk about what I’ve been trying to build, which is a system that with more data gets stronger and stronger over time. Zero Trust is an anti-fragile system.

And those five simple steps are what you apply to any protect surface. Once you understand that, then it becomes an algebraic equation, the variable, x is the protect surface, solve for x. And, once you get that, then it’s a very simple way to do it, you know, and we’re not just doing it, reinventing the wheel every single time that we start a new project

ZSM: More and more corporate leaders are being held accountable for the impact associated with cyber-attacks. How can a company successfully implement Zero Trust? And the implementation from all layers, horizontal and vertical? You talked about the five pieces that are necessary to be successful. How would a company that is used to being open like academia be successful in implementing the zero-trust construct?

JK: A lot of people are just used to having access to resources, but they don’t need to have access to all sources. So, you say, well, do you really need to have access to that? If it’s a published paper that’s publicly available, fine, but if it’s intellectual property, or very sensitive research, then you must be very judicious on how you allow that access. And so, somebody must make those hard decisions about whether they’re going to allow that, and part of that is cultural change.

One of the reasons I talk about the grand strategy is that I can get cultural changes done from the top down. The chiefs of staff, boards, leadership, what they do is they change the incentive structure and say, it’s okay to do this. If you think about the military, versus academia, the military way, you’re told you don’t need to know this, just go do it. You don’t question that. And that’s because the incentives are there. I see this in hospitals all the time, where people have access to data that they shouldn’t have access to. People have been fired, because there was some high-profile case and they wanted to find out what the medical records were in a clear violation of HHS, and HIPAA.

The question is, do you need to have access to get your job done? And if you can’t answer that, if it’s just because you’re curious, or you feel so self-important that you want to get access to everything, then there’s a problem. And yes, you can hit anything I say, you can reference it; it’s all public. I’m trying to get this out there. I’m trying to change the world just a little bit at a time every single day. What the President did, with the executive order that came out on modernising cybersecurity, and part three was about zero trust, he has changed the incentive in the U.S. federal government.

Everyone Must be Responsible for Zero Trust

ZSM: How do we get that force-multiplier perspective since everybody can’t be a Chief Information Security Officer? Everybody can do something in a way that permeates the whole organisation. Using a military metaphor, every General, every private knows how to shoot a weapon, right? One might be an expert, the other might not. But, at the very least, you have a minimum amount of information that you must retain, as a soldier, sailor, airman, or marine to be successful in any military operation.

In cultural change from the Chief Information Officer (CIO) down to the person in the action, he should have some idea of you know what, this guy doesn’t have a need to know the person at the help desk, why they asked him in his question, to be conscious of what’s always going on around you.

JK: You want to have people shadowing each other? We should avoid leaving a job before our time is up. My dad was in the military and after a certain amount of time he knew that he was getting transferred. And that’s okay, if you’re transferring from one military intelligence post to another, but in certain things when you’re working inside of the cybersecurity realm it is different. It takes years to build up that level of experience. What you want to do is bring those people in, give them challenging positions, rather than transferring them out as soon as they get good.

A colonel in the Air Force said to me, ‘look, in the enterprise, you have people with eighteen years of experience doing a particular job, and, I have an eighteen-year-old, who I have to teach to do the same job. So that you know, that’s a completely different thing. And then in certain parts of the government, once you get good at something, they transfer you out of it, this is the problem I’ve had in continuity, in working with the military and other people, I’ll spend a year, two years working with somebody getting them to really understand it, and then they get transferred into a different command a different position. And they had a question so that they’re still in place doing that, you know, they have a higher role, but they’re doing the same place, but they haven’t got transferred out into something completely different. And, some sort of specialization would be helpful inside the US government instead of transferring people around based upon their seniority levels, whatever that’s called.

‘I’ll spend a year, two years working with somebody getting them to really understand it, and then they get transferred into a different command a different position.’

Encourage them to stay because there’s not enough good people so that they can spend their career hyper focus on this thing that requires hyper focus. Change some of the paradigms on how the government deals with personnel. One of the top people that I’d worked with for three years decided to transfer to a different command, completely unrelated to cyber because there was no way to get promoted. We need to promote within the same Cyber Command because we need those really highly talented people to be focused on sharpening their skills and growing into leaders. You need good people who are cyber people who have gone from being a programmer to being a general officer who is functionally a Combat Systems Officer in the military.

It’s like Special Forces in a way, I have a lot of friends who are special forces. And as I understand it, and it could be mythology, but from talking to them, once you’re in Special Forces, they don’t just randomly transfer you out into the quartermaster Corps. Right? Once you’re a Navy Seal, you’re a Navy Seal; and, your Military Locator System (MLS) might change a little bit. But in general, you’re going to always be there for the rest of your career and retire in that role. And we could do that for cyber warriors because we are all fighting the same cyber war.

The unique thing about it is that the military and the private enterprise are fighting the same cyber war because we’re all living in the same bad neighbourhood. We’re all directly connected to the world’s worst malicious actors because there are no suburbs on the internet. And so, how cyber war differs from kinetic war is that in kinetic war, you must be proximate to an adversary to attack them. But proximity is not a requirement in cyber war, because they’re always proximate to us. They’re directly connected to us through the internet and have the tools and techniques they need to launch an attack. If you ask the question, ‘will I be attacked today by any particular adversarial group?’ The answer is invariably, ‘yes’.

ZSM: That’s right, they think that they can leverage the resources from them to do some like crypto mining.

JK: That’s what they would do in the modern world. It’s understanding that this adversarial relationship we have is so much different. Now, we’re all warriors. We didn’t get drafted. We didn’t enlist, we just became warriors. And that’s the thing you can grab a hold of, to know that you’re making a difference. If you find a misconfiguration in your company’s policy and fix it, you just made a big difference in that company. Just in doing that simple thing, just by being diligent.

So, the big message to leadership is change the incentives so that it’s okay to do the right thing. I was talking to somebody who was at Target during their breach. And there were people who just said, ‘let’s unplug, let’s shut it down’ and, leadership wouldn’t.

I know the guy on 9/11, who was the head dispatcher for American Airlines; and when the first plane went into the tower, he said, ‘We’re shutting it down. Every plane that hasn’t taken off is shut down. Every plane that’s in the air that American Airlines has been diverted.’ He got an award from the president for doing that gutsy move. There was a lot of talk that there might well have been other planes that didn’t get to take off that had bad people on them, that might have done bad things. And we’ll probably never know the real outcome of that.

Sometimes it’s okay to pull the plug, until you figure out what’s going on and then plug it back in. So, we must enable people to not just worry about availability, but confidentiality is just as important in the modern world.

Conclusion

The advancement of networking in cyberspace since the late 1990s saw the exuberance of disparate industries jumping to the opportunity to examine how they could benefit and take advantage of its enormous business-to-business potential. As a result, we saw organisations rush to conduct business online without fully thinking through the consequences of doing so.

The current situation signals leaders to re-evaluate security parameters for critical infrastructure systems and clearly designate which systems should or should not operate online. Some in the information technology industry may feel that the ‘genie is out of the bottle’ and it is too late to take critical systems offline. Others may assert that it is a matter of National Security and must be seriously considered. Perhaps, there are solutions that balance both perspectives. For example, security parameters could be adjusted to the level of infrastructure impact. Supervisory control and data acquisition (SCADA) designed infrastructure and similar systems could operate as standalone systems offline. Prior to online, networked, distributed computing there were no opportunities for our foreign adversaries to attack our infrastructure from remote locations. They were offline. Perhaps, it’s time to go ‘back to the future.’

Implementing Zero Trust security helps organisations safeguard the confidentiality, integrity, and availability of the data that is processed, stored, and transmitted over their technological systems.

Zero Trust is not just a system solution; it embodies a cultural philosophy which thrives when everyone in the organisation ‘owns’ cybersecurity. Zero Trust is most successful when implemented top-down and embraced at each level of the organisation. Invest in professional and career development of cybersecurity subject matter experts to become strong cybersecurity leaders.

Dr Charlotte Farmer, director, operations and integration, MITRE, combines strategy with technology to solve problems for a safer world. Serving as an award-winning leader within tech companies as well as a board member for multiple non-governmental boards for the past three decades, she drives transformational processes that create both growth and cost-saving opportunities.

References

  1. Isabella Jibilian, ‘Here’s a simple explanation of how the massive SolarWinds hack happened and why it’s such a big deal’, Business Insider, www.businessinsider.com. au/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 (25 December 2020)
  2. Charlie Osborne, ‘Colonial Pipeline attack: Everything you need to know’, ZDNet https:// www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to- know/ (13 May 2021)
  3. Sara Morrison, ‘Ransomware attack hits another massive, crucial industry: Meat’, Vox https://www.vox.com/recode/2021/6/1/22463179/jbs-foods-ransomware-attack- meat-hackers (10 June 2021)
  4. Joseph Biden, ‘Executive Order 14028: Improving the Nation’s Cybersecurity,’ E.O. 14028 of May 12, 2021, https://www.federalregister.gov/d/2021-10460 (12 May 2021)
  5. Okta, The State of Zero Trust Security in Global Organizations: Identity and access management maturity in 2020 report https://www.okta.com/sites/default/files/pdf/ zero-trust-security-in-global-org.pdf.
  6. Forrester Research, ‘Zero Trust adoption gains traction in Asia Pacific, not a minute too soon’, ZDNet, https://www.zdnet.com/article/zero-trust-adoption-gains-traction-in- asia-pacific-not-a-minute-too-soon/ (28 October 2020)
    Helen Patton, ‘Securing Government Agencies: Essential Eight and Other Efforts’, Duo, https://duo.com/blog/securing-government-agencies-essential-eight-and-other- efforts (6 July 2021)
  7. Peter R, ‘Zero trust principles 1.0 launched’, National Cyber Security Centre, UK https:// www.ncsc.gov.uk/blog-post/zero-trust-1-0 (23 July 2021)
    Paul McKay, Chase Cunningham and Enza Iannopollo, ‘How to find the right zero trust strategy’, ComputerWeekly, https://www.computerweekly.com/feature/How-to-find- the-right-zero-trust-strategy (2 March 2020), excerpt from Forrester Research report ‘How to implement zero-trust security in Europe’.
  8. Rudyard Kipling, ‘I Keep Six Honest Serving Men’, Animal Stories (Stratus, 2008), 134.
  9. Nassim Nicholas Taleb, Antifragile: Things that Gain from Disorder, (Penguin, 2012).