The demise of the perimeter — and the rise of Zero Trust
The ongoing global pandemic has forced federal agencies to find ways to make telework a reality for the vast majority of their employees. As a result, in a distributed-computing world where many employees work from home using personal devices, security measures that only protect “the perimeter” do not provide enough protection to secure an enterprise. While perimeter defenses, such as firewalls, will continue to exist at federal agencies, they will no longer be considered a first line of defense. Their role will be to stop low-sophistication and automated attacks made against headquarters assets, and they should perform that function well. They just won’t be responsible for protecting the so-called network perimeter, which now exists well past the physical boundaries of any agency building or office.
“The perimeter is rapidly evolving, that’s the best way to describe it,” said Steven Hernandez, Chief Information Security Officer, U.S. Department of Education, during a Government Matters webinar on the rise of Zero Trust network security. “Where before we were very much the castle moat, and then hopefully not a soft interior...that model’s been turned inside out.”
Hernandez suggested that different groups of employees in a variety of positions, with various levels of responsibilities and technologies, need what he termed “equitable security.” In his model, security takes more holistic approach to defenses rather than relying on specific products such as firewalls to protect the perimeter.
“What that means is really getting down to, are we talking about technology, or are we talking about outcomes?” he asked. “Oftentimes, we get caught up in this idea that we need a certain technology to provide a certain solution, when actually, in reality we need an outcome.”
Hernandez said the rapid changes imposed in response to recent cyberattacks and the rise of remote work has led cybersecurity professionals to focus on the two most important outcomes – protecting users and agency data. He suggested that all future discussions about cybersecurity and protection should at least initially focus on keeping data and users safe, and then determine without preconceived notions what technologies can help to achieve those goals.
“Once we get our arms around that, then we can start asking the right questions about technology, instead of the other way around,” he said.
One major component of the new security landscape is the focus on using Zero Trust architecture to ensure users’ protection, Hernandez said. The original concept was still network-based, but that thinking has changed.
“We started unpacking that concept and saying that if we just keep Zero Trust at the network layer, we’re still going to have a perimeter problem, because the network is inherently defined by perimeters. So we need to be broader in how we think about Zero Trust,” he said.
Hernandez said the National Institute of Standards and Technology’s special publication on Zero Trust Architecture is a good starting point.
“How do we work through all layers of the model, and apply it all the way down to make sure that we’re incorporating elements of Zero Trust throughout the entire process?” he asked. “I think that’s why you’re hearing so many discussions around architecture, because in many organizations, perhaps in a legacy TIC-type of architecture from a network and a services perspective, to go to a Zero Trust Architecture is a huge transition.”
Hernandez said federal agencies need to look at system architecture in completely new ways. “For example, instead of a stationary house I want a big RV, so I can move my home wherever. Before we had guards at each entrance and exit. We have an open foyer now, but we’re using other programs to identify people as they come in and out. They have wireless technology with their badges; we know who all the employees are, and we know who are not.”
The idea of dissolving the boundaries and treating every network and node as hostile is a radical departure from existing practices, he said. And such radical change introduces the “FUD” factor – fear, uncertainty, and doubt. But agencies will need to overcome that fear because Zero Trust is really the future of cybersecurity, Hernandez added. Zero Trust is the best approach to protect an organization which has both employees and data scattered among locations far outside an agency’s physical properties.
Overcoming that initial fear of the unknown with Zero Trust, which is often a complex undertaking, will be a key to keeping agencies, their users, and their data safe today and in the future.
“Well, how do you fight fear, uncertainty, and doubt?” Hernandez asked. “The answer is having a really solid architecture. If we can build the architectures that can get visibility into our data, and visibility into risk, which is what Zero Trust promises us, we can actually eliminate a lot of the uncertainty in the equation.”
