NIST Gets Into the Zero Trust Mix
We barely remember who or what came before this precious moment
We are choosing to be here...right now.
- Tool ("Parabola")
Several years ago, I remember sitting in the office of a security director at a large government agency. We were discussing the Washington Redskins. A topic near and dear to my heart, and the cause of much of my anxiety over the last decade (it’s not easy being a Redskins fan). I was already pretty bummed when one member of his staff rushed in, out of breath, to bring him some really bad news: they had purchased a security scan tool and had discovered that there were Xboxes on their network. How and why were these devices being allowed access to the critical network of this government agency? My friend said he had to go “put out this fire,” so he waved me off.
This, at the time, really got me thinking. I wasn’t yet introduced to a zero-trust security approach but I intrinsically understood that the way we compute was under a radical transformation. Xboxes were a little extreme, but to me it didn’t seem that different from having everyone carry a personal computer in their pocket (smartphone) anywhere and everywhere they go. These devices could get on the network, and even if they couldn’t, they could get on someone’s network and do things, such as compute and access data. And no matter how many times you said the word “container” or drew a bubble around some things on a Vizio diagram, it never did change the fact that data was gonna flow. Bits were gonna move. And you had about as much of a chance of controlling the weather as you did in controlling the pipe. I mean true control.
This is hard for human beings to grapple with. There are things that are part of our jobs, that we used to be able to control, that we no longer can. It’s a major source of stress and fatigue. Change is happening, and I’ve never seen change thwarted. You may slow it down, but you’re not gonna stop it.
I think we tend to have subconscious tendencies to try to control uncontrollable things because we are losing control of things that we used to be able to control. This is certainly the way it feels to me. I’m not saying zero trust is going to help us regain control over everything, but if you look at it as a design philosophy, one in which we are able to focus control on the things that really matter, then yeah, zero trust could save the world... or at least your security sanity while helping to protect what really matters: the data.
If you think about it, this is almost an inevitability. It started when we moved workloads to the cloud. Then users started using mobile devices to get work done. Now we’re on the cusp of 5G and – say what you want about it – it’s going to fundamentally change the way networks are wired. In my view, these are the three legs of the modernization stool.
So we’re left with this conundrum: how do we offer protection for apps we don’t own, on computers we don’t own, over networks we don’t own, from devices we don’t own, requested by, in some cases, users we don’t own (not that we “own” users but more and more of these might be contractors, partners, customers or citizens)? So at the end of the day we have to ask: what DO we own and what can we protect and what should we care about? It’s all about the data, and the applications as a gateway to this data. It’s a lot less (as in, not at all) about the infrastructure.
NIST Weighs In On Zero Trust
This is why it is so refreshing (even if it took some time and, frankly, it’s taken us all a little time to wrap our heads around the “new normal” and concede that there had to be a different approach to data security) that the National Institute of Standards and Technology (NIST) has finally put together some guidance. NIST has delivered some thoughtful structuring about how organizations – enterprises and agencies alike – might achieve zero trust, or at least how to start the journey, and how to think about it.
Recently, NIST put out the draft for comment for SP-800-207. This document really is a great start. They correctly point out that “zero trust” is a design philosophy or a lifestyle, not a product. NIST points out the important tenets of a zero-trust journey and they point out – again right on the money – that certain design considerations that may already be deployed could themselves be a little “zero trusty.”
What all of this means is: first, let’s start focusing on the things that matter: the users, devices, and the applications. This is what it’s all about. Second, we don’t have to reinvent the wheel. There are things in your environment that will have a role to play in the new world order, and they might even get a new paint job and some new flexibility. Case in point, the document calls out updates to identity guidance from NIST, which has been aligned to new identity policy from OMB. This combination turbocharges things your agency can do to bring a better user experience to Identity, Credential and Access Management (ICAM) now and in the future. Third, this is a journey. It’s not a product, it’s not a bumper sticker slogan -- it really is a lifestyle choice. It’s a new way of thinking about what things you and I, as security practitioners, are going to need to focus on protecting. It’s totally aligned with industry thinking on a zero-trust journey.
Is it perfect? No. Does it need to be? Hardly. It’s a good starting point. It’s a good catalyst to get the creative juices flowing and force us to have these discussions while allowing us to start building out some reference examples that can be iterated on and fleshed out. Every journey begins with a first step. This is a good one.
It’s also worth pointing out the alignment to the new TIC 3.0 draft, Continuous Diagnostics and Mitigation (CDM), and a host of others constructs that we have to adhere to in the public sector. And after the National Cybersecurity Center of Excellence (NCCOE) held its zero-trust workshop last month, I was encouraged that folks from the Office of Management and Budget (OMB) showed up to offer support for this new model and to let people know that they are paying attention. They want agencies to feel like they can move forward and that the policy will come to them, not the other way around (which is the world we’ve mostly been living in until now).
I would be remiss if I didn’t point you to Duo’s Product Marketing Manager Thu Pham’s pragmatic synopsis on the draft and what it means to the greater security community. When Thu speaks, I tend to listen, and you should too. Her assessment is very thorough and thoughtful (I expect nothing less).
Game on friends.
Learn more about how zero-trust security can help federal agencies with their IT modernization initiatives in our ebook Achieving Zero-Trust Security in Federal Agencies.