Cybersecurity Journey to Zero Trust - Episode 4

January 21, 2022

Zero Trust: What to comply with? Where to get the funding? <and> How to make the user experience (UX) for Cybersecurity better?! 

 image-20220126103941-1

The pandemic moved zero trust from something that was “nice to have” to something that “we need to implement immediately. Like, yesterday!” The old perimeter-based security model is finally starting to die, and we see the transition almost becoming complete in 2022 and high-profile cases like the Colonial Pipeline REvil ransomware gang attacks, SolarWinds breach attack on US agencies — including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Admin, and the Treasury. So were private companies, like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University.  Times such as this, with the escalations in the Ukraine and previous Russian propensities to use offensive cyber-attacks apart of either their direct or indirect doctrine are well documented including attacks on national infrastructure! 

And in lieu of this recent global vulnerability in the supply chain e.g. Apache Log4j, has certainly helped speed up awareness, throttling it into hyper-drive, which even instigated a special White House Open-Source Software Security Summit to look into the national and global supply-chain and was attended by VMware’s Office of the CTO (OCTO) to help industry and government have an open dialogue on how best to tackle examples of Log4j, which is just the latest poster child for the real issue: how can we ensure source code, build, and distribution integrity in open source software (OSS)?. 

Undoubtedly, zero trust (ZT) is trendy and yes, lots of vendors have hopped on the bandwagon and relabeled their existing security products as being “zero trust/capable/ready.” So, wading through some marketing-hyped terms will be inevitable, but rest assured in 2022 you will see that it’s both real and achievable to begin deployment of ZT and these concepts within episode 4 will help provide takeoff and help better define the true emphasis of the term ‘zero-trust’ from what it truly is, a framework and intrinsic cybersecurity paradigm and architecture, and how best to comply, fund and make the end user's lives better for it!

For full details, and to download a PDF version of this content, see the Zero Trust Regulation and Framework Whitepaper.

U.S. National Background

In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture (ZTA) was released to provide agencies with guidance and detailed recommendations to improve their security posture using the core principles of ZTA. While in 2021, after several high-profile malicious campaigns and attacks against both civilian and government targets, the Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity” was scripted with requirements for all Federal agencies to develop a plan to implement ZTA in an effort to modernize and strengthen cybersecurity standards and detection.

Also, the EO helps demonstrate progressive refinement of requirements as they emanate from NIST, Cybersecurity & Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and Federal Acquisition Regulations (FAR) changes, and recently, an updated memo was sent with instructions for the Department of Defense (DoD) and intelligence agencies (IC) spelling out how the network requirements for civilian federal agencies included in that order — such as instituting zero-trust security principles — also should apply across National Security Systems (NSS) and culminated with the release this week of the OMB Memorandum requirements within M-22-09 which sets forth a Federal ZTA Strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of FY24.

Compliance & Regulatory 

image-20220126104006-2

In the U.S., there are several examples of National Standards & Compliance Bodies with ZT foundations which can be applied to any of the Public Sector Domains eg. Fed/SLED:

  • NIST / NCCoE = SP guidance & collaboration consortium & NRA and FARS clause language related to SP 800-207 =  compliance 
  • Federal Information Security Modernization Act (FISMA) enhancements with NIST’s SP 800-53v5 and to GSA's FedRAMP authorization framework for cloud authorization of Federal Agency hosted cloud-based services
  • DHS / CISA = Technical Reference Architecture and Model Pillars
  • DISA / DoD = Reference Architecture’s ZT controls and ‘Maturity Levels’ ​
  • Exec / OMB = EO 14028 & principal guidance M22-05 for ZT requirements= targeted through FY24: EO 14028
  • Additional details within the OMB M-22-05 requirement Incident Reporting = Major Incidents to OMB and CISA
    • However, you don’t have to be a federal or state/local/education agency to comply with the NIST framework (CSF) or take actions on the EO (industry and private sector have the same requirements especially within the realm of regulated industries, such as Financial, Medical & Insurance to name a few)! 

Examples of International Standards & Compliance Bodies with ZT foundations are also prevalent and can often be seen as complimentary to the U.S. if not in some cases more restrictive?:

  • Nat'l Cyber Security Centre NCSC for UK (ZT FW pub) / Canada New Zealand
  • EU NIS2 Directive/ENISA Certification (5G & Cybersecurity market certs)
  • Germany's DEUmilSAA BSI / Cloud Telkom - C5
  • International Standards Organization (ISO) 27001 , 27017/18 & 27701
  • Australian Cyber Security Centre (ACSC) InfoSec Manual
  • APACJ – InfoSec Mgt & Assessment Program (ISMAP)
  • 3GPP - International cellular / mobile standards & framework for 5G implementations
  • Other factors:
    • Data privacy regulations > dictating how personal data is used and stored are increasing as the UN Conference on Trade & Development (UNCTAD) provides a collection of 128 countries with forms of legislation worldwide; some examples:
      • California Consumer Privacy Act (CCPA)
      • General Data Protection Regulation (GDPR)
      • Protection of the liability of user data
      • Cybersecurity Framework from HITRUST Alliance & Cybersecurity CSF for Global Financial Intuitions
    • Rising cost of cyber-attacks > devastating personal, corporate and governmental establishments tangible and intangible fighting and recovering both financially and operationally from attacks.

User/Customer/Employee Experience

image-20220210110758-1

It’s been that the pandemic took 10-15 years of progress (in everything, not just IT) and condensed it down into 1-2 years. We absolutely agree. You probably noticed that nothing on our list of predictions for 2022 was “new” per se. Rather, it’s more about things that have been things for a while that we’ll see becoming more mainstream in 2022.

  • Customer product compliance assurances an updated emphasis on automation of compliance, exceptions and reporting 
  • Enhanced Identity Management (IdM) and other passwordless experiences eg. single-sign on (SSO)
  • Simplifying end-user onboarding and access including user-owned or BYOD
  • More secure access via SASE (pervasive, seamless, flexible), with multiple tunnel / secure connectivity options (unlike VPN) e.g., split tunnel / per-app / multi-cloud
  • Better broadband to augment both the remote and cloud experience (speed, resilience, security (consumer devices (ex. NIST MUD (Manufacturer’s Usage Description)))
  • Robust device trust and validation through Continuous Policy Enforcement (CPE) and Threat Defense and Endpoint Protection (MTD/EPP) solutions 

Another trend that emerged from the pandemic is that people are finally starting to look at the broad, end-to-end, true end-user “experience.” It’s no longer good enough to just tell users, “Get your own home broadband, here’s the URL for the apps, good luck!”

With so many workers scattered out of the office, and with so many variables, including device specs, what else is running on the devices, home Wi-Fi contention, local ISP & network congestion, VPN saturation, etc., IT departments have realized that they need to get a better picture of what the experience is actually like from the end user’s perspective

  • Luckily there are plenty of tools to help with this, from SaaS performance management tools to the Digital Employee Experience (DEX) capabilities in Workspace ONE, and we see 2022 as the year that these capabilities go mainstream and IT departments get serious about managing “the last mile.”

Financial Fulfillment for Public Sector

image-20220224183819-9

In order to sustain both the CapEx and OpEx for migration strategies for agencies, costs associated with this evolution are undoubtedly going to be required to be accounted for; and with continued budgetary constraints, both form a fiduciary and personnel gaps, gaining access to funding is never more important and below are a few targeted areas for agencies to work from:

  • Technology Modernization Fund (2017) > a US Federal tech modernization initiative that gives agencies additional ways to deliver services to the American public more quickly, better secure sensitive systems and data, and use taxpayer dollars more efficiently.
  • American Rescue Plan (2021) > $1.9T that was provided thru the U.S. Treasury Department and allows state and local governments that received funds under last year’s Act to spend that money more easily on cybersecurity upgrades and broadband construction, bringing relief to officials who said the original law was too restrictive.
  • Infrastructure Investment & Jobs Act (2021) > $1.2T infrastructure spending bill that includes, among many measures, a new cybersecurity grant program and record-setting investments in broadband development.

Lastly, the DHS Continuous Diagnostics & Mitigation (CDM) Program, although not a fully developed ZTA does provide for funding of numerous elements of the pillars of ZTA: Continuous Diagnostics & Mitigation (CDM) Program

 

Multiple vendors and solutions within the ecosystem will be required...

  • VMware too will not be a ‘single source’ to achieve all elements of a complete ZTA <but> can offer a unique deployment model, along with a collection of assets/services/solutions could meet these 1st and ongoing phases, providing a foundation for the future evolution of ZTS!
  • Mapping to the NIST Cybersecurity framework e.g. Identify, Detect, Protect, Respond & Recover <and> zero-trust framework (7) pillars is a baseline step to providing an initial roadmap for planning and execution (ex. GSA provides for such an acquisition mapping against its (8) pillars of ZT (user, device, network, infrastructure, app, data, visibility & analytics, orchestration & automation)): GSA: ZTA Acquisition & Adoption

*** We hope this provides some valuable, quick insights into ZT, and don’t forget to check out the full Zero Trust Regulation & Framework Whitepaper! ***

Or if you missed out on the earlier Journey to Zero Trust, feel free to jump back back and start from the beginning with Episode 1

Additional Resources

For further Zero-Trust assets on Tech Zone, see:

Filter Tags

Blog Announcement Intermediate Zero Trust Public Sector