NIST to test federal ‘zero trust’ security architectures
The National Cybersecurity Center of Excellence plans to recreate some of the security architectures used by federal agencies and financial institutions and test if they make good zero-trust use cases.
NCCoE — part of the National Institute of Standards and Technology, which released its definition of zero trust for public comment in late September — is “about to walk on that journey of zero trust and begin to build out some different security architectures that model some of the work in government and perhaps financial institutions to be able to think about where you can use some of the nobs and levers over time,” Donna Dodson, chief cybersecurity adviser at NIST, said Thursday in reference to the strong cybersecurity tools already available in government.
Zero trust refers to the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of resources, according to NIST.
Many agencies already have elements of zero-trust architectures in place. For instance, some have “great authentication capabilities,” but they may not use them enough or in the right situations, Dodson said at the Ignite ‘19 Cybersecurity Conference on Thursday.
While many employees want to plug in their personal identity verification card on Monday, when they log on to their agency’s network, and take it with them when they log out on Friday, that’s not always appropriate, she added.
“We need to be able to take what we have in place today and perhaps augment it a bit so that we can dial the nobs for individuals or for different roles within the organization,” Dodson said.
The Cybersecurity and Infrastructure Security Agency is doing just that through its Continuous Diagnostics and Mitigation program, which pushes new policies out to agencies, said Jeanette Manfra, assistant director for cybersecurity at CISA.
Agencies can improve their zero-trust security posture by limiting network access by group as much as possible — only allowing senior leaders access to the most sensitive datasets, Manfra said.
“What we consistently see is adversaries targeting one individual and then — because that individual had access they shouldn’t have or was connected to something that they had no reason for their job to be connected to — they’re now able to lateral throughout and gain higher-level access,” she said.
Meanwhile, the State Department is eyeing an architecture that will allow it to perform deep packet inspection similar to the Chicago Board of Trade, said CIO Stuart McGuigan. For years the board has had the capability to open packets and interrogate the metadata to see what’s being bought at what price and quantity, before flagging anomalies or else adding it to the data.
McGuigan wants his agency’s first use case to be a messaging layer, rather than a heavily trafficked one that runs a lot of apps.
“Something that has a more restricted domain of users and so, therefore, is useful but very narrow in terms of the use case and packets that are flying around the network,” he said. “You can push it to really having order of magnitude better authentication and packet-level monitoring.”