Implementing A Zero Trust Mindset

By Gerald Caron, Chief Information Officer, U.S. Department of Health and Human Services (HHS)

Times are changing and we no longer rely on the “traditional way” of doing things, especially in technology. When was the last time you have saved important numbers in phone book or stored documents in physical folders? We can bet that it has all transitioned over to your mobile phone or another type of cloud storage. We now rely heavily on the cloud to keep our data secured. However, this time around, the traditional desktop is no longer the only powerhouse of the network. Phones, tablets, thin/zero clients and laptops are the new kids on the block, augmented by desktops. They are keeping data accessible while creating new pathways that make it vulnerable.

One example to compare the traditional security model and Zero Trust is to think of a multiplex movie theater.

In yesteryear, a secured perimeter was the chosen method. I like to refer to it as the ‘Tootsie Pop’ security method; it is hard on the outside but gooey in the middle. We basically trusted everyone that was within the perimeter, or at least that is how our legacy networks were built; this can also be referred to as the ‘Castle and Moat’ approach. Network protection has always been important, but as time has changed, so has our protection method. Having access to all information within the perimeter has become just as detrimental as all threats outside. Some of the largest security exploits have been within the boundaries of organizations’ networks. Thus, why ‘Zero Trust’ has come to the forefront of the way many are now shifting their focus to cybersecurity.

One example to compare the traditional security model and Zero Trust is to think of a multiplex movie theater. The theater shows different movies (think of these as data) in different formats: regular, Imax, etc. In the traditional model, you visit a theater and buy a ticket so that you may enter the lobby. You now have full access to the theater, such as restrooms and concessions. You can basically walk into any of the theaters. Why? There are no ushers to enforce who can go in or out at each theater entry. Therefore, one could watch multiple movies while only paying one fee. Once in the theater, there is still no checkpoint as to what movie guests are attending, nor if they are in the right spot for that movie. Again, think of the movie itself as the data. Once in the front door, guests are authenticated to get into the theater because they bought a ticket, allowing access to multiple data sources (movies) without any additional review.

Now, in a Zero Trust environment, you still buy a movie ticket and scan it at the door. As a result, you still have access to the general areas. However, when you go to various theater rooms, someone will recheck your ticket to ensure you are allowed into that specific room. But that is not where it stops; once guests are granted access, an usher would come and verify that everyone is allowed in by doing a thorough review. Such as, are the lights at the proper level, exit signs are lit, the projector is working, everyone is in the correct seats and so on. All these factors together now calculate a confidence or risk level. If these factors are all at an adequate level everyone can continue watching the movie without issue. If there are risks, the theater will prompt an action (trigger a policy) to ensure guests are safe and movies are not compromised in the process.

There are many checks, balances and risk factors to consider in a Zero Trust implemented environment. Now, if you think of the above scenarios, traditional vs. Zero Trust, picture this as your network’s environment and a malicious actor. A malicious actor would have a much easier time gaining persistence and moving throughout the network (or in this case, the theater) while gaining access to multiple data sources than in the Zero Trust scenario.

Reducing risks with Zero Trust

Having access to a network with wireless options provides new functionality that was not available prior to the Covid-19 pandemic. Unfortunately, this new functionality comes at a cost.

Zero trust is the strategy every organization should implement. With zero trust’s ability to impact and adapt to changes in technology, its method considers how users interact with their data and secure it to allow the right data, to the right people at the right time. It protects what matters most: the identities and the data. When we talk about identities, we don’t just think of them as humans; it can be other systems or IoT (Internet of Things) devices.

When thinking of Zero Trust, I always refer to these principles:

  • Trust No One
    1. Know your people and your devices
      • Validate identity at every step
    2. Design systems assuming they are all compromised
      • Distrust everything, so when a breach happens, you are as protected as you can be
    3. Use Dynamic Access Controls
      • Access to services must be authenticated, authorized, encrypted at all times, and can be revoked during a session
    4. Constantly evaluate risk
      • Include context in risk decision
      • Monitor and log in to every location possible
      • Aggregate log, system and user data
  • Right size protections
    1. Invest in defenses based on the classification of data
      • Spend more money defending the systems at greater risk

The Zero Trust model identifies all communications as untrustworthy and recognizes that the system can be breached at any time. Its foundation is built on enforcing the need for:

  • Strong identities
  • Authentication
  • Trusted endpoints
  • Network segmentation
  • Accessed controls
  • Data Segmentation
  • User and system attribution to protect and regulate access to sensitive data and systems
  • And most important, understanding the data for which you are trying to secure

To be 100% secured against all attacks is not realistic, but the Zero Trust mindset implies that the network’s security should be analyzed both internally and externally.

With most organizations being supported by remote work, there are now different risks. The transfer of information can be compromised if the right steps are not enforced. An organization can customize its security risk with gateways, allowing or revoking access based on individuals’ work requirements. Innovative access and authentication policies immediately suggest additional verification. Step-up challenges verify an already in place two-factor authentication when support has been breached.

We have only scratched the surface of Zero Trust in this article and there are certainly different nuisances and thoughts on the subject. They are not all wrong, but the more we collaborate and share our thoughts, the better we get at moving towards effective cybersecurity implementations. Good luck on your journey!

Author’s Bio:
Mr. Caron is the Chief Information Officer (CIO) / Assistant Inspector General of Information Technology (AIG/IT) for the Office of Inspector General (OIG) at the Department of Health and Human Services (HHS) as of May 2021. Mr. Caron has over 24 years of information technology (IT) experience. He began his career in the US Army working in hands-on technical positions serving for 7 years.
Previously he has served as the Director of Enterprise Network Management (ENM) within the Directorate of Operations in the Bureau of Information Resource Management (IRM) at the Department of State (DOS) since June 2016.
Mr. Caron then spent 2 years as a contractor with the federal government, where he acquired more refined technical skills and a more detailed understanding of IT operations.  He joined the federal government at the Department of State (DOS) in 2003 as a Systems Administrator.  He has held multiple positions at the DOS, moving from managing small technical groups leading up to Director for ENM.