Zero Trust Project - Use Cases

Executive Summary

Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC)  and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.

  1.     Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
  2.     Identity governance is focused on uniquely identified people or things requesting access.
  3.     Application micro-segmentation is focused on network segmentation but also relies on identity governance.

Network Infrastructure and Software-Defined Perimeter

Network Software-defined Perimeter (SDP) technologies can directly connect users to multiple resources/workloads/services in parallel without the need to route their traffic through a legacy architecture chokepoint or Cloud hosted Proxy. Direct Access to cloud resources should provide context-aware, conditional based access controls that can continually assess device posture, identify and attribute-based access controls, and other learned telemetry elements like user behavior deviations/Trust or Risk scores.

Identity Governance

Identity Governance can help an agency uniquely identify people and resources and then apply fine-grain access policies through a policy enforcement point (PEP). A delineation between Managed vs. Unmanaged Devices, workstations and laptops vs. mobile, and Bring your own device vs. Bring your own approved device are areas to focus across the below use cases. This means the use cases should be able to deliver this capability on any network, not just managed ones. Understanding access beyond IP Addresses and URLs is critical to lay the foundations moving to a Zero Trust Architecture. Security policies that can use Meta-data (Tags/Labels) applied to cloud workloads/services or data objects should be a capability of the platform. Identity attributes and meta-data should drive these policies (not VLANs, IP Addresses, and ACLs) to get a Data-Centric approach to Zero Trust.

Application Micro-Segmentation

Application micro-segmentation can shield resources and only allow access from other trusted people and resources. An essential part of Secure Cloud Access is cloaking those public-facing resources from the adversary. Only known users and devices (Pre-Authorized and Pre-Authenticated) should be able to discover that the platform exists. These capabilities are not just applicable to users connecting to cloud services but need to encompass elements inside the “perimeter.” Micro-segmentation / Nano-Segmentation that enforces East-West and North-South controls that can span across any platform or cloud. The use cases below will focus on an agnostic approach to deliver these capabilities; in essence, a Unified Security Policy that can overlay across multi-clouds and multi-physical sites and down to the end-user device no matter where they are.

Other Factors

 

  • Scalability and using internet capacity is critical. The solution should be able to handle 10 or 100s of Gbps of throughput. Performance is only one side of the coin. Operational scalability should be considered in all solution designs. Security as Code is required to handle Zero Trust at scale.
  • Support for seamless integration in security, development, operations, and other workflow processes like ITSM meet sustainment challenges. These technologies can leverage API support and be managed with technologies like TerraForm, Ansible, Kubernetes using YAML or JSON for policy configuration management and work with – not against- the continuous integration/continuous deployment (CI/CD) pipeline.
  • Just-in-Time Data at rest object encryption level could also be employed to mitigate data leakage (enforcing additional controls to open objects like expiration on usage or only can be opened on approved systems by certain users).

 

As part of the project team's effort in information agencies on the current status of Zero Trust in the Federal government, he conducted a series of interviews and surveys with federal agencies and the vendor community. We analyzed and found five/six core zero trust use cases common across both the agency and vendor community. Each use case explains a current state approach, a zero-trust approach objective, a value proposition from zero-trust, and a recommended starting point for a pilot. We thank those agencies and vendors who provided feedback.

Access Zero Trust Use Cases Here

 

In addition to these Use Cases, the project team also published a white paper entitled "Zero Trust Report: Lessons Learned from Vendor and Partner Research." Information from the Zero Trust project briefing is available here.