In our previous blog post, we discussed the mandate federal agencies face to adopt zero-trust architecture (ZTA) as part of a modernized cybersecurity strategy. In May 2021, the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity[1] called for agencies to make bold changes to protect against “persistent and increasingly sophisticated malicious cyber campaigns.” In January 2022, the Office of Management and Budget (OMB) followed up the EO with a memorandum that requires specific zero-trust objectives to be met by the end of Fiscal Year 2024.[2]
The OMB memorandum argues that traditional cybersecurity perimeters are ineffective in the current threat environment. We know adversaries have already compromised agency networks; therefore, federal IT leaders need to shift away from the concept of “trusted networks” altogether. Instead, they must assume every user, device, workload, application and data flow—whether outside the network or within—is a threat until proven otherwise. This requires recurring authentication and constant monitoring.
Recently, we met with Gerald Caron, CIO, Office of Inspector General, Department of Health and Human Services (HHS), to get a government executive’s perspective on what the shift to ZTA looks like in practice. Like any other federal department, HHS has unique mission objectives, and must collaborate and connect with a diverse ecosystem of partners and service providers—both public and private—to meet those objectives. In this blog, we’ll convey the top takeaways from a discussion with Gerald on how government stakeholders are viewing ZTA implementation.
Zero trust requires both the right approach and the right technology
According to Gerald, the challenge many federal agencies face is knowing how to get started.
“I think a lot of people get mired in the technology, and don’t think as much about the strategic aspect of things,” said Gerald. “Before you start deploying all these new tools, it’s important to think about what you want them to do and how you see them contributing to your overall zero-trust strategy.”
Gerald also emphasized the importance of beginning with a “big picture” strategy, and then working down to the specific tools and technologies that enable that strategy. A starting point for this strategy might include the Zero Trust Reference and Maturity Models released by the Department of Defense (DoD), National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) for their federal stakeholders, which all have these five foundational pillars in common:
- Users/identities
- Devices
- Applications/workloads
- Networks
- Data
Instead of trying to address these pillars in isolation, agencies must work through them as equal parts of a comprehensive zero-trust architecture. This means considering how to integrate the pillars into a zero-trust strategy before spending time worrying about what technology or tools are needed to do that.
Spotlighting DoD best practices for developing an effective zero-trust strategy
For an example of a holistic zero-trust strategy, we don’t need to look further than the highly anticipated one published by the DoD in November 2022.[3]
In this strategy document, the DoD outlined four high-level goals for a department-wide zero-trust cybersecurity framework:
- Zero-trust cultural adoption: The DoD must develop a framework and mindset that guides the design, development, integration and deployment of IT assets in a zero-trust architecture.
- Information systems secured and defended: DoD cybersecurity practices must incorporate zero-trust principles to achieve resilience in information systems.
- Technology acceleration: The DoD must deploy zero-trust technologies quickly to remain ahead of the changing threat environment.
- Zero-trust enablement: The DoD must integrate its zero-trust framework alongside existing processes in a seamless, coordinated manner.
Furthermore, the DoD outlined 152 specific activities it needs to implement in order to reach “targeted” and “advanced” zero trust. These activities map across the different zero-trust pillars and stretch from basic capabilities—like creating user and application inventories—to advanced capabilities that incorporate AI and automation.
Although the strategy is aligned to the unique mission requirements of the DoD, Gerald pointed out that all federal agencies may find the activities listed helpful to include in their own zero-trust strategies. That being said, he also stated that some agencies fall into the trap of making their zero-trust strategy more complicated than it needs to be. At the end of the day, zero trust can be defined using a few simple principles that haven’t changed all that much since Forrester Research[4] proposed the concept in 2009:
- All entities are untrusted by default.
- Least privileged access is enforced.
- Comprehensive security monitoring is implemented.
If your strategy meets these basic requirements, then you’re on the right path. A detailed strategy with a long list of forward-looking capabilities may be appropriate for some agencies, but it’s not required to capture the “low-hanging fruit” of basic zero-trust principles.
Extending zero-trust beyond the fault line
The growing importance of digital ecosystems can make zero trust more difficult for federal agencies. It’s one thing for an agency to apply zero-trust principles within their IT infrastructure, but now they need to extend those capabilities “beyond the fault line,” to anywhere they interconnect with ecosystem partners. This includes locations both within the U.S. and overseas. A global reach is essential to enable inter-agency collaboration, which Gerald named as one of the most overlooked zero-trust use cases.
Agencies that fail to implement zero trust in a careful, strategic manner could end up putting up more siloes than they’re breaking down when it comes to inter-agency collaboration. There must be universally accepted data-use agreements in place to support collaborative functions like those used in healthcare, law enforcement, national defense, and other areas of government. This requires a delicate balance between openness and vigilance.
In addition, federal agencies are increasingly recognizing the need to leverage a hybrid multicloud architecture that’s more complex than previous iterations. The federal shift to multicloud was exemplified on December 7, 2022, with the announcement of the DoD’s long-awaited Joint Warfighting Cloud Capability (JWCC) contracts with AWS, Google, Microsoft and Oracle.[5] DoD stakeholders have stated that as part of the JWCC initiative, they were looking for partners capable of offering secure cloud services to accelerate zero-trust adoption.[6] Doubling down on this, the National Defense Authorization Act (NDAA) for FY 2023 includes a requirement to test and evaluate the cybersecurity capabilities of commercial cloud service providers to increase transparency.[7]
Gerald pointed out that leveraging the cloud offers new opportunities for civilian agencies as well, but also adds complexity.
“Understanding what clouds you’ve made an investment in and how you can use their functionality within the context of your zero-trust journey is very important,” said Gerald. “Cloud makes it easier to leverage some of the tools and capabilities you may need, but you also need to think about what mechanisms the cloud providers allow for authentication and how they may factor into your overall cybersecurity policies.”
Learn how Equinix can support your zero-trust architecture worldwide
While it’s true no single vendor provides an “easy button” for rapid zero-trust adoption, standing up the right digital infrastructure in the right places is an important first step. Platform Equinix® offers a global footprint of data centers available wherever the mission may take you, a diverse ecosystem of cloud and digital services providers, and Equinix Fabric® to help you interconnect and share data with those providers in a secure, private manner.
To learn more about how Equinix can help you extend your zero-trust strategy beyond the fault line, contact us today to schedule a Digital Edge Strategy Briefing.
[1] Executive Order 14028, “Improving the Nation’s Cybersecurity”. May 12, 2021.
[2] Memorandum for the Heads of Executive Departments and Agencies: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, Office of Management and Budget, January 26, 2022.
[3] “DoD Zero Trust Strategy”, U.S. Department of Defense, November 22, 2022.
[4] David Holmes, Jess Burn, “The Definition of Modern Zero Trust”, Forrester, January 24, 2022.
[5] “Department of Defense Announces Joint Warfighting Cloud Capability Procurement”, U.S. Department of Defense, December 7, 2022.
[6] Billy Mitchell, “DOD looking to cloud vendors to accelerate zero trust and CMMC adoption”, DefenseScoop, September 16, 2022.
[7] “Text of the House Amendment to the Senate Amendment to H.R. 7776 (Showing the text of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023)”, U.S. House of Representatives Committee on Rules, December 6, 2022.