Featured Product
This Week in Quality Digest Live
Risk Management Features
Terry Onica
Preventing future auto supply chain disruptions
Christopher Allan Smith
How to navigate disaster with less information than you use to buy a car
Christopher Allan Smith
When it comes to disaster, be the early bird
Duke University
More data are needed to measure the impacts of long-term investments in brand equity
Kimberly Merriman
At issue are scant remote-work resources, updated policies on flexibility, and communication from leadership

More Features

Risk Management News
Both quality professionals and their business leaders agree that openness and communication is essential to moving forward
Greenlight Guru and MedCrypt partner to secure medical devices
Address equipment issues before a catastrophic failure occurs
Higher quality contributes to higher efficiency and less downtime
Design, develop, implement, continually improve risk management in systems and software engineering
ISO/IEC/IEEE 16085 has just been updated
Galileo’s Telescope describes how to measure success at the top of the organization, translate down to every level of supervision
NSF-funded project is developing a model to help manufacturers pivot and produce personal protective equipment
How to develop an effective strategic plan and make the best major decisions in the context of uncertainty and ambiguity

More News

Alper Kerman

Risk Management

Zero Trust Cybersecurity: ‘Never Trust, Always Verify’

Keeping networks safe in a digital world without perimeters

Published: Thursday, November 19, 2020 - 13:03

Huh? What? At least that was my response the first time I heard the words "zero trust" when I started working at the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) in the fall of 2018. Mind you, I was also making a fresh start with an enormous jump to cybersecurity from a career track that had generally been in software engineering.

Sure, I did design and develop secure software solutions and even put together secure systems and platforms at times throughout my career, but zero trust seemed like a different ballgame to me. For one thing, it didn't have a fence.

What do I mean by that? Well, the traditional approach to cybersecurity relies on barriers—firewalls—that control traffic coming in and out of a network. Zero trust, on the other hand, is about assuming no barriers. It is usually mentioned in the same breath as "removing perimeters," "shrinking perimeters," "reducing perimeters," or "going perimeter-less." These are common references to the idea of "de-perimeterization," which was originally introduced by a group called the Jericho Forum back in 2005.

Then in 2010, cybersecurity expert John Kindervag coined the phrase "zero trust" while he was with Forrester Research. In a nutshell, zero trust assumes that the system will be breached and designs security as if there is no perimeter. Hence, don't trust anything by default, starting with the network.

We'll get into what zero trust means for cybersecurity in a minute. But first, how did NCCoE—and I—get wrapped up in zero trust? It's kind of a long story.

A big breach starts the ball rolling

I will dare to argue that the coup de grâce was the Office of Personnel Management (OPM) data breach of 2015. An estimated 22.1 million records were exposed. And if you aren't shaking your head right about now, you should be because it has been described as one of the largest breaches of U.S. government data in history. It exposed records of people who had undergone background checks, as well as information about their family, friends, and acquaintances, many of whom weren't even government employees. Social Security numbers, names, dates, and places of birth and addresses were among the types of personally identifiable information that were revealed.

The OPM data breach was a big wake-up call for the U.S. government to secure its information systems and infrastructures. In its aftermath, several initiatives were launched to improve and modernize the U.S. government's security posture. The American Technology Council, formed in May 2017 under the direction of the president, promptly coordinated and produced a report for federal IT modernization later that year.

Then, a year later in February 2018, the CIO Council Services, Strategy, and Infrastructure Committee, made up of federal IT officers, chartered the Zero Trust and Software-Defined Networking Steering Group. That group's job was to support the adoption of more effective methods and technologies for verifying, securing, enforcing, and continuously monitoring access to the federal government's assets and data by applying zero trust principles. The group convened a workshop on Oct. 25, 2018, at the NCCoE. The workshop included 21 representatives and subject matter experts from federal, civilian, and defense agencies alike to discuss and come to consensus on definitions of zero trust networking and software-defined networking, including components, functional capabilities, and security characteristics of each model.

Shortly after the workshop, I came to work at NIST/NCCoE and was asked to participate in the steering group meetings as the new technical lead. This interaction finally led to the February 2019 launching of a NIST NCCoE project in partnership with the CIO Council to research zero trust and zero trust architectures (ZTA) with the goal of producing a general guidance document for adoption of ZTAs for securing U.S. government information systems and infrastructures.

In August 2020, NIST NCCoE released the general guidance document NIST SP 800-207, Zero Trust Architecture, for adoption of ZTAs in the federal government. This is a document that provides conceptual-level insight for zero trust and zero trust architectures, including deployment models, use case scenarios, and discovered gaps in technologies.

Now, with the historical backdrop out of the way, let's refocus our attention on our main topic: zero trust and what it means for cybersecurity.

Keeping networks safe, then and now

The best way to quickly get your mind wrapped around zero trust is to consider traditional and present network environments. People who have been in the IT field since the earliest days will surely remember the more innocent times in which we put together network environments. They were immensely different to say the least because we didn't have remotely accessible resources or applications and services in the cloud like we do today. Sure, we used digital resources and applications to do our work; however, they were exclusive to internal networks and accessible to staff who were on PCs and laptops within those network environments.

How did we protect them from internet threats? We threw a digital fence—a perimeter—around them, which funneled external accesses through a single point of entry in a verified and authorized manner. This would allow the internal users access to the pool of resources and applications protected inside the perimeter. And this was a sound strategy for a long time.

Today, with the explosion of cloud computing, we are more globally connected than ever before. Most of us conduct business remotely using mobile devices. We consume, exchange, and store digital information in private clouds, public clouds, hybrid clouds, and many other variations in between. Needless to say, the conventional boundaries have expanded and become more obscured to allow for a much larger footprint of applications and services to be located and accessed from anywhere. Of course, with that expansion, the cybersecurity vulnerabilities have also grown. We now have more areas and points of attack. And we are especially vulnerable to the types of cybersecurity breaches that originate from inside the networks—inside the perimeter.

In fact, in the case of infamous OPM data breach I mentioned above, hackers first gained access to OPM's internal network using stolen credentials and then planted a malware package that installed itself within OPM's network as a back door for data exfiltration. From there, attackers escalated their privileges to gain access to various OPM information systems, a typical escalation scenario that is often referred to as the "lateral movement" or "east-west traffic" of a security breach inside the perimeter.

The shortcoming with the conventional perimeter defense is that it provides no security control mechanism to prevent lateral movements once the security threat is inside the perimeter because inside is always considered to be the safe or trusted zone in this strategy.

This is where zero trust comes in to save the day. You could be working from an enterprise-owned network, a coffee shop, home, or anywhere in the world, accessing resources spread across many boundaries, from on-premises to multiple cloud environments. Regardless of your network location, a zero trust approach to cybersecurity will always respond with, "I have zero trust in you! I need to verify you first before I can trust you and grant access to the resource you want." Hence, "never trust, always verify"—for every access request.

Illustration of the difference between a traditional, firewalled network, which is vulnerable to east-west traffic and a network with zero-trust architecture. Credit: A. Kerman/NIST

And to stress the point further, the verification process is one of the key aspects of the zero trust approach. Every access request to a resource must be thoroughly evaluated dynamically and in real time—based on the access policies in place and the current state of credentials, device, application, and service, as well as other observable behavior and environmental attribute—before access may be granted.

For example, a member of staff or a contractor, or even a guest user, may be verified and granted access to a specific resource, but they will still need to be reverified to access another resource within a zero trust-enforced environment. This continuous scrutiny is the security control mechanism that prevents lateral movement of bad actors spreading from compromised systems within network environments, which is basically the essence of any zero trust solution.

I've had many amazing working experiences throughout my career, but I have to admit, this experience with our zero trust efforts at NIST/NCCoE definitely tops the chart by far. And what's really even more gratifying is that our zero trust efforts are being closely followed and highly regarded by other government agencies and many in the industry. For that, all the kudos go to every member of my team for their awesome support in our zero trust efforts and activities.


About The Author

Alper Kerman’s picture

Alper Kerman

Alper Kerman is a security engineer and project manager at the National Cybersecurity Center of Excellence (NCCoE), NIST. He is the technical lead and project manager for zero trust and other collaborative projects with industry organizations, government agencies, and academia that address cybersecurity issues at NCCoE. He has more than 30 years of experience in IT that spans software engineering, application security, and project management across government agencies and private industry.