Reston, VA – June 29, 2023 – Amyx and Zero Trust Architecture
At Amyx, much of our client base at DoD and DLA is about to undergo a transformation of their networked applications to Zero Trust (ZT). Amyx’s teams are leading the effort at USTRANCOM and DLA AMPS. Below is an introduction to ZT on the topic. Many of our projects supporting IT initiatives at DoD and DLA will at some point integrate ZT into their architecture.
In May of 2021, President Biden signed Executive Order 14028 calling for all Federal Government agencies to modernize its approach to cybersecurity by developing and ultimately implementing zero trust architecture strategies. Since that Order was signed, a number of other documents have been released each containing more granular details that expand on specific topics and clarify goals and expectations.
As a concept, zero trust was born out of necessity. The ever-rising number of breaches that occur on a daily basis makes it clear that the security practices employed by most organizations are ineffective. Such breaches have facilitated the theft of countless terabytes of intellectual property, privacy data, defense plans, trade secrets, and other information that has had negative impacts on just about everyone in all walks of life. With regard to breaches in general, the general consensus has become — you either know you’ve been breached or you’ve been breached and don’t know it. For organizations that haven’t been breached, the question isn’t “if,” it is “when?”
The implementation of zero trust principles and practices will effectively shut down many of the avenues that are currently exploited during breaches. Just as important, it will limit the amount of damage that can occur should a breach occur. This is accomplished through two of the most impactful zero trust practices — continuous authentication (AuthN) and authorization (AuthZ), and macro/micro segmentation.
Continuous AuthN and AuthZ calls for every user/endpoint in a network to be positively identified and authenticated multiple times throughout a session. Such identification and authentication will include additional “context” data that will also be assessed to determine if the connection will be authorized. Contextual information may include roles and entitlements, the IP address, the location, time of day, and other metadata to determine if the user/endpoint is attempting to connect as expected (compared to a baseline) or whether the connection attempt is out of the ordinary.
Macro/micro segmentation breaks apart and isolates servers and devices that reside in on-premises network enclaves such that one authentication into the network does not provide a user with access to all of the devices and resources that exist within that network. The goal here is to limit “east-west” movement within networks and to minimize the “blast radius” to just those assets that are accessible to that endpoint. Along with data-tagging and the application of least privilege access principles, macro/micro segmentation efforts should reach a point where every asset on a network and every file on those assets are locked down such that they can only be accessed by authorized endpoints and users without providing them access to any other assets that reside on the network.
Zero trust architectures also call for the implementation of a number of other technologies that aid in detecting anomalous behavior on endpoints, networks, applications, databases, and files. Security orchestration, automation, and response (SOAR) tools aim to automate patching on the fly. Coupled with other Comply-to-Connect (C2C) tools and technologies, endpoints will be assessed to determine if they meet C2C standards prior to connecting. Such standards may include OS version and patches, updated antivirus, installed applications, running processes, etc… Artificial Intelligence and Machine Learning technologies will bolster and enhance traditional security information and event management (SIEM) tools by sifting through logs, alerts, and other data to identify and bring to light events that call for human intervention while automating responses to other events.
The implementation of zero trust architectures is not a “silver bullet” solution that will end all breaches and intrusions. However, it will greatly decrease the number of breaches and minimize the data losses that occur when breaches do occur.
At USTRANSCOM, efforts are underway to implement the 152 activities described in the DoD Zero Trust Strategy document released in November of 2022. These 152 activities are organized into 7 pillars that address 1) User, 2) Device, 3) Applications & Workloads, 4) Data, 5) Network & Environment, 6) Automation & Orchestration, and 7) Visibility & Analytics. 91 of the 152 activities are categorized as “Target” activities that must be implemented prior to the remaining 61 “Advanced” activities. In March/April, DISA began discussing its Thunderdome efforts to construct an architecture that includes zero trust tools and processes. Though the Thunderdome architecture is recommended, it is not mandated. Zero trust efforts in USTRANSCOM are not in line with some of the technologies that are core to Thunderdome.
At DLA, Zero Trust is also being implemented. It is expected that all applications will follow the same progression as at USTRANSCOM. DLA’s Account Management Provisioning System (AMPS) is transforming into Identity, Credential, and Access Management (ICAM), and it will provide Single Sign On (SSO), integrating username and password with Multi-Factor Authorization (MFA) and PKI (CAC) validation in all environments (AWS, Azure, OCI, Dayton and Tracy). Eventually, all DLA systems will integrate into the zero trust architecture implemented by AMPS/ICAM.