Operating for zero trust

Zero trust insights

• The DARIOM Life Cycle is presented as a method to systematically implement zero trust architecture, through steps like discovery, assessment, redesign, implementation, operation and monitoring.
• Achieving a mature zero trust security posture is described as a process tailored to the unique needs of each organization, factoring in their specific resources, systems and risk tolerance.
• The article underscores the significance of continuous improvement, through operational discipline, phased implementation and regular monitoring, to sustain a secure zero trust environment.

It is best mapped out and customized by each organization based on their resources, existing systems and technologies, tolerance for risk, risk profile, compliance and regulatory mandates and business objectives to name a few. There is no one-size-fits-all approach or solution set. Adopting a zero trust mentality involves many decisions across multiple pillars and organizational variables — all informing the details, milestones and timing of an organization’s architecture and instrumentation decisions. The right plan, implemented strategically, should move an organization along a path to maturity that protects high value assets and shores up the most critical vulnerabilities first, leaving lower-priority objectives for later phases.

The zero trust journey begins – DARIOM life cycle

Most organizations already have embraced some zero trust compatible cybersecurity technologies and best-practices, and/or have existing zero trust capabilities in their enterprise infrastructure. In order to best leverage these investments and tie together multiple technologies, old and new into an integrated zero trust architecture — a structured approach is required. Moving from where you are today to where you eventually want to be may seem like a daunting task — but like any other journey — it’s accomplished one step at a time. Best results will be achieved using a process like the DARIOM approach presented below.

DARIOM is an architectural life cycle that guides the entirety of an architecture and engineering effort. The acronym stands for discover, assess, (re) design, implement, operate and monitor — represented in a closed-loop engineering cycle.

Discover

A discovery effort for a zero trust adoption effort allows cybersecurity teams to explore the as-is state of a technology system and its cybersecurity posture throughout. The better the definition of the as-is, the easier it is to map out a meaningful and feasible plan to achieve the to-be. For this reason, discovery is one of the most important steps in a zero trust cybersecurity modernization effort.

• Define the system’s threat model based on contextual threat intelligence. To provide initial context for discovery efforts, it is important to obtain clarity around the organization’s threat model. Information about the model will help guide other discovery activities and inform zero trust implementation plans. The model depends heavily on context such as the vertical/sector and geolocation of operations, as well as geopolitical information relevant to the organization. Since no organization can defend against everything, building a proper threat model is one of the KEY steps that should be done first to guide the assess/implementation phases.
• Identify the organization’s high value assets (HVA). HVA in an enterprise system can include hardware or software assets responsible for proprietary business data, sensitive financial data, critical business functions, personally identifiable information (PII) and even controlled or classified data in government systems. Identifying these assets means they can be easily prioritized for the first phase(s) of ZTA implementations.
• Map assets to data and data flows. Understanding where an organization keeps its data, as well as the types of data being stored and transmitted is foundational to establishing a meaningful zero trust plan. By mapping assets to data and data flows, the organization is able to determine who requires access to the data, what the data is used for, how it should be transmitted and under what circumstances access should be granted. Data flow diagrams are a common approach and can be generated using a number of readily-available tools like those that consume network flow data and other threat modeling related tools projects like Adam Shostack’s DFD3 .
• Define data sensitivity levels. For government systems, data must be categorized using FIPS 199 Standards for Security Categorization of Federal Information Systems. The sensitivity level of data being stored or transmitted through a system must be known when determining access/handling, storage, transmission, encryption and data loss prevention (DLP) requirements.
• ID privileged accounts and rules around those accounts. The government has strict requirements associated with privileged account management, including those found in NIST SP 800-53 Access Control family, FISMA and FedRAMP baselines. Establishing a clear picture of the current state of privileged access will include documenting the existing privileged access roles, people assigned to those roles and rules associated with the roles. Rules may include but are not limited to login and MFA requirements, unusual or failed login system response, system lockout parameters, session length limits, limits on number of admin accounts and limits on concurrent privileged sessions.
• Build end-to-end visibility to assets and traffic. Adding to the need for mapping assets to data and data flows, a robust network mapping effort extending to ALL assets and traffic will yield critical information about the as-is state of an organization’s network. This includes insights around the degree to which the network may already be leveraging constructs such as defensible subnets and/or organizational units (OUs) — as well as information about what types of traffic are traversing the network’s internal (north-south/east-west) and external boundaries across on-prem and cloud.
• Define other business and regulatory requirements. Part of discovery involves identifying any applicable regulatory requirements like GDPR, for example. It also includes defining the organization’s unique business risk appetite (as supported by the Define data sensitivity levels bullet above), since some industries manage data that is far more sensitive than others. Business discovery also includes understanding what skills are available in-house and determining what training may be needed based on identified gaps.

Assess

Once an organization has a clear picture of the as-is state of their enterprise system, an assessment should follow — complete with a gap analysis identifying areas of opportunity that will move the system from the as-is state to a more mature and desirable to-be state.

• Determine current state of compliance. Using trusted baselines and standards that are appropriate for an organization (e.g., NIST 800-53, FISMA, FedRAMP, CIS benchmarks, DOD STIGs,) analyze the as-is system and identify any clear gaps in compliance. While compliance alone may not ensure perfect outcomes nor mitigate all risks, adhering to the appropriate standards is an excellent first step toward maturing a system’s cybersecurity posture to an acceptable baseline.
• Determine current state of network architecture and segmentation. Organizations starting out on their zero trust journey will have network architectures with varying degrees of network segmentation. Segmentation and segregation of networks and functions is helpful for implementing granular policies and limiting access to highly specific and function-centric subnets. For those supporting FedRAMP systems, guidance can be found in a recent white paper published on the subject. Some other things to consider include the system’s ability to limit unnecessary lateral communications, the hardening of network devices and any network-centric security constructs that could limit infrastructure device access.
• Clearly define roles and account privileges associated with those roles. NIST 800-53 Access Control family provides excellent guidance around clearly defining account roles and the privileges associated with each. Because zero trust requires granular control over system access and sessions, a system must have an appropriate set of established roles with privileges that don’t exceed the needs of the role. Not only is this a best practice, it will be heavily scrutinized during any type of internal or third-party assessment of the system’s security compliance — a common requirement of many systems supporting government or highly-regulated industry customers.
• Review existing policies for least privilege. Closely related to roles and account privileges, policies throughout an enterprise system need to enforce least privilege wherever possible. There are many privileged access management (PAM) tools that limit where a user is allowed to navigate and what they are allowed to do on a network after requiring MFA appropriate for their role-based privileges. A zero trust implementation plan needs to take existing least-privilege policies into account as a starting point and identify opportunities where and how additional least-privilege policies should be implemented.
• Identify any clear risks or areas that need better understanding, visibility, definition or ability to manage. During an initial assessment, the first goal is to identify the high priority enterprise assets and constructs that have known or readily available solutions. Those can be prioritized with remediation implementation started as soon as the implementation phase begins.
• Assess visibility and detection gaps. Visibly and detection capabilities are KEY to achieve zero trust security outcomes. Organizations that have immature security operations should assess these areas based on the previous threat model (done in discovery) through practical exercises, including MITRE ATT&CK based purple teaming exercises.

(Re) Design

Once decisions have been made based on business needs, the state of the as-is system and gaps identified for remediation, those solutions must be designed or re-designed for implementation. The National Cybersecurity Center of Excellence (NCCoE) team at NIST recently published an updated zero as part of their special publication on Implementing a zero trust Architecture (NIST SP 1800-35B). Federal employees and contractors supporting the secure operation of government IT systems or systems leveraged by government agencies should reference this publication for guidance when designing or re-designing their system architecture for zero trust.

As a part of design efforts, teams will also need to consider better leveraging existing technologies as well as introducing new technologies where necessary, designing a “new and improved” enterprise architecture and cybersecurity approach that is more conducive to zero trust capabilities. Understanding how to leverage an organization’s current infrastructure and incorporating those existing technologies into the zero trust design are the first steps toward building and maintaining a truly defensible security architecture.

Implement

With designs/re-designs in place, the team is ready for implementation. Remember that the path to zero trust is a journey — and one that never fully reaches a final destination. As with all things cybersecurity, it requires continuous improvement in perpetuity. Implementation plans, therefore, may be best structured using a phased approach to iteratively implement core zero trust capabilities (see CISA’s zero for guidance) with a look forward to ongoing iterative improvements. CISA has defined four general levels of zero trust maturity — each level taking elements of previously discussed zero trust pillars and crosscutting capabilities into account. Phased implementation of zero trust capabilities will guide organizations to mature along this model toward “optimal” maturity in their zero trust posture.

The initial implementation phase(s) will vary from organization to organization but should consider the following foundational tasks.

• Establish clear roles and responsibilities. Clearly defining hierarchical enterprise system user roles and responsibilities is a must and allows organizations to ensure they have adequate separation of duties to provide accountability and oversight of system activities. If this doesn’t already exist, it should be considered an important early task that will inform the implementation of least-privilege configurations and access control policies.
• Secure high-value assets first. Ensure access to high-value assets is governed by fine-grained policies based on user and device attributes. Asset value may be associated with its importance to business/system operations or its content/potential payload for attackers.
• Embrace network segmentation. Ensure there is macro-segmentation in place with the network segmented using deny all/permit by exception. Continue with micro-segmentation for high-value assets. Over time, the segmentation of the system can evolve until it is granular enough to allow all of the access policies required to securely support the organization’s end-to-end business missions.
• Manage devices. Ensure devices are managed using unified management tools following least privileged principles. These tools offer a single management interface for mobile, PC and other devices and may replace mobile and enterprise device management technologies organizations may be more familiar with.
• Embrace multifactor authentication and passwordless access. Ensure phishing resistant MFA technologies are in use, continuing with identity federation across on-prem and cloud providers. MFA is one of the most effective technologies to combat phishing, identity theft/stolen passwords and weak passwords. Consider adopting new passwordless authentication methods like FIDO2 security keys to move away from dependency on passwords.
• Commit to protecting data. Begin data classification and tagging efforts, implementing data loss prevention and digital rights management solutions across on-prem and cloud workloads. All data should be encrypted at rest and in transit wherever possible. Any personal information stored in a system, especially government systems, deserves special priority consideration. The Privacy Act of 1974 requires protection for personally identifiable information (PII) while the privacy provisions of the E-Government Act of 2002 requires a privacy impact assessment (PIA) for system changes impacting the collection or use of PII.
• Embrace encryption. All network traffic should be encrypted and authenticated where possible. When considering technologies and cloud services, there are many that come with the ability to operate in FIPS (Federal Information Processing Standards) mode, which means it forces traffic to be obfuscated through cryptographic algorithms and protocols that meet U.S. federal standards for security compliance. Leveraging FIPS-validated libraries in a system can be a relatively easy way to upgrade network traffic protections. Balance encryption with visibility requirements according to a threat model.
• Automate, automate, automate. Today’s enterprise systems should be architected for visibility, detection and response through the enterprise using analytics, automation and orchestration platforms. There are many tools with built-in automation and orchestration capabilities, as well as tools specifically built for automation and orchestration in concert with other cybersecurity tools. As the volume of data and threats increase, automation and orchestration becomes a critical component to shorten detection and response times in a ZT architecture.

Operating a zero trust system

Once plans are in the process of being implemented, organizations will begin to benefit from each implemented zero Trust architectural component and technology in an iterative, gradual manner. As each zero trust element becomes operational, the technical components of the solutions meet the operational and management components of the solutions.

Incorporating operational components that support the zero trust mentality into a cybersecurity program is every bit as important as the aforementioned technology components. All of the cybersecurity technology and automation in the world cannot protect against an organization whose operations lack the maturity and commitment to operating and maintaining their zero trust system.

• Closely manage changes to the system. One of the biggest operational hurdles in maintaining a system and the zero trust technologies, assets, configurations and policies throughout is creating accountability and transparency for all configuration items (CI) and their settings. Requiring the review and approval of system changes using an operational construct such as a Change Control Board can help organizations rapidly mature their cybersecurity operations and protect their zero trust investments from being intentionally or unintentionally dismantled or subverted.
• Embrace security and awareness training. Borrowing the words of renowned cryptography and computer security expert Bruce Schneier, “Amateurs hack systems, professionals hack people.” The less cybersecurity savvy an organization’s employees are, the more prone they are to phishing and other social engineering tactics. Humans continue to present a significant opportunity for hackers and a significant risk to the systems they have access to, directly or indirectly. One of the best ways to reduce the risk of human failure in the cybersecurity battle is by ensuring a well-educated workforce through robust security and awareness training programs, combined with the move to passwordless phishing resistant authentication methods.
• Practice cyber hygiene maintenance. While it may seem less than exciting, practicing good cyber hygiene as a part of operating a system is a foundational activity and one that if ignored, will leave a system susceptible to known exploits and vulnerabilities. The world of cybersecurity moves quickly, with a need for continuous updating of systems to keep them current and keep adversaries at bay. With many best practices already mentioned, some examples of sound cyber hygiene practices include the following:
  • Keep software, web browsers and plug-ins up-to-date and leverage automatic updates for operating systems where possible.
  • Apply security patches in alignment with vendor patch release schedules and as-needed based on discovered exploits.
  • Use encryption wherever possible (such as enabling FIPS mode where available in leveraged technologies) for transmitting and storing data.
  • Configure user machines to prevent unauthorized downloading and installation of unapproved software.
  • Implement phishing-resistant multifactor authentication and/or passwordless authentication.
  • Back up system data on a consistent and frequent schedule to enable recovery. This includes keeping offline backups to recover against ransomware attacks, as skilled attackers know to target and delete onsite backups prior to the detonation of the ransomware.
  • Keep antivirus/anti-malware protection solutions up-to-date and configured to maximize any automated response capabilities.
• Establish an incident response and contingency plans. One of the main positions held by zero trust ideologies is to assume the adversary is already in a system. Limiting sessions and access to the narrowest assets and actions necessary to perform a certain task will naturally limit the damage that can be done by a malicious actor by limiting their ability to maneuver. However, incidents will still happen — and when they do, organizations must be prepared with an incident response plan. The plan can involve anything from automated system responses such as notifications, device quarantines and disruption of network traffic to the human actions that must be taken throughout the duration of an incident. One key consideration is for teams to establish out-of-band communications in the case of an incident based on the zero trust premise that the ‘adversary is on the network,’ and the network is therefore hostile and can’t be trusted. NIST 800-61 Computer Security Incident Handling Guide is an excellent resource for organizations needing to establish incident response plans for government or commercial entities alike.

Monitoring (and remediating) a zero trust system

Once operational, an IT system must be continuously monitored and remediated for the entirety of its operational lifespan. The continuous identification and remediation of findings required for the secure operation of a system is an absolute necessity as new threats and technologies enter the cyber realm on a daily if not hourly basis. Adversaries are constantly poking holes in technologies and finding new and creative paths to gain unauthorized access. Tools such as SIEMs (security incident and event managers), SOARs (security orchestration and automation) and EDRs/XDRs (endpoint/extended detection and response) can greatly support the efforts of monitoring and response teams by analyzing and correlating data from multiple enterprise technologies — and providing automated responses and remediations for a number of found issues.

In addition to automated monitoring and response tools, ongoing vulnerability scanning and penetration testing combined with focused red/purple teaming exercises and threat hunting activities are all part of a proactive approach to maintaining a strong cybersecurity posture. Ensure these are performed in combination with agile remediation practices and lessons learned. As organizations increase their zero trust implementations, continuous monitoring teams must be able to quickly identify new vulnerabilities, configuration changes, baseline deviations or suspicious activities associated with those zero trust constructs. Only through the identification of issues can appropriate remediations be performed.

Summary: Never trust, always verify

Operating a zero trust network, or a network configured with varying degrees of zero trust implementations, is truly where the investment of adopting, architecting and implementing zero trust systems becomes real and delivers a meaningful return. Tools and technologies must be selected, implemented and operated with competence and well-architected intention to support the zero trust “never trust, always verify” cybersecurity worldview. By recognizing that yesterday’s perimeter-based security falls short in addressing today’s threat landscape, acknowledging that no users should be blanketly trusted and embracing a continuous validation and remediation approach to everyone and everything happening within our networks — our cybersecurity professionals will be better able to protect those networks, manage just-enough access and secure the high value assets of the organizations we serve. zero trust is a model worth embracing — with cyber resilience being the result.

Original content can be found at SANS Institute.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.