In September 2019, the National Institute of Standards and Technology (NIST) released its Zero Trust Architecture draft, setting the tone for the future of Federal cybersecurity and a move toward enterprise-wide zero trust implementation.
How is zero trust playing a role in Federal IT modernization efforts? How can multi-factor authentication (MFA) accelerate implementation? And how do CDM and TIC 3.0 factor in? MeriTalk spoke with Dean Scontras, vice president of public sector at Cisco’s Duo Security, and Micah Wilson, solutions engineer for Federal, for their take.
MeriTalk: There are many definitions of “zero trust.” What does “zero trust” mean to you, specifically in relation to the government market?
Scontras: It means that the security paradigm is changing from the age-old model of high walls and deep moats where you got on a network, and you were known in that network. Now people are on multiple mobile devices and connecting to cloud applications from anywhere. All of a sudden, that high-wall security paradigm doesn’t fit. Zero trust is the security framework for applying modern tools to a modern world.
Wilson: We used to need to comply with requirements to connect to the network. Now we must comply to connect to the application. Zero trust is the framework that allows that to happen.
MeriTalk: Zero trust security is increasingly important for government agencies as they strive to strengthen cyber security measures. How is zero trust playing a role in Federal IT modernization efforts?
Scontras: Zero trust dovetails very nicely with IT modernization as it’s very easy to deploy, very simple for users, and reduces costs. We have customers who rolled out to tens of thousands of users, and it only took an afternoon and a Red Bull, while reducing trouble tickets. Our FedRAMP sponsor, the Department of Energy, is using our federal-tailored MFA and Duo Access product editions to protect data and critical systems, and reduce costs by consolidating existing solutions, amid the agency’s transition to modern, cloud-based technology. So, I think that our MFA and access solutions are a perfect fit for IT modernization.
Wilson: Zero trust is the first viable framework since HSPD-12 in 2004 that the government can use to modernize its technology independently. When you’re complying to connect to the application, you’re getting out of the mindset of where people are located. It’s a different way of thinking that’s being brought forward because of how people are connecting now. That’s the driver for the modernization. Then, the government can use that modernization to use cloud services, gaining economies of scale.
MeriTalk: How does multi-factor authentication play a critical role as agencies implement zero trust models?
Scontras: Micah just referred to HSPD-12, which mandated the use of an identification card to access information or a building, and that is supposed to be both the primary and secondary form of authentication today. Modernization drives more use of cloud and mobile, which don’t lend themselves well to HSPD-12. Duo’s modern multi-factor authentication is a lot more in line with NIST’s updated policy, which says that in instances where you have mobile devices trying to access cloud information, you can use an alternative form of authentication.
One of the things that stalls the government from moving to cloud and IT modernization is the way we authenticate. We generally tell customers that if you’re moving to cloud and your cards don’t support the applications you’re using, alternatives are available. You certainly don’t want to use username and password, because every major breach we’ve heard about over the last decade has happened due to compromise of username and password. It’s common that when agencies can’t support an application with a smart card, the username and password is all that’s left to prevent unauthorized access. So, we feel strongly that they should start with a modern multi-factor authentication solution.
MeriTalk: Achieving Federal compliance can often be a roadblock for agencies when exploring zero-trust environments. How do Duo’s Federal MFA and Federal Access Editions help agencies align with strict security requirements?
Scontras: The NIST guide should be the ultimate arbitrator of what you can do. The new guide says that you can use something like Duo – a hardware-acceptable, FIPS 140-2 Level 3 encrypter in your compliance efforts. We check that box really well. Our FedRAMP sponsor was ahead of the curve on this, watching NIST and complying with its guidelines, and using Duo Push for these use cases.
MeriTalk: What role does CDM data play in the zero-trust model?
Wilson: Zero trust in and of itself doesn’t inherently add continuous diagnostics and monitoring, but with the information and analytics that are generated by complying to connect to the application, you begin to see patterns of behavior from users. So we’re in the business of locking the doors and making sure the person is really who they say they are and doing all these zero-trust things, but an artifact of that is a whole bunch of continuous diagnostics and monitoring logging that can be mined for people doing things out of the ordinary.
MeriTalk: How does zero trust factor into the new Trusted Internet Connections (TIC) 3.0 policy?
Wilson: TIC is driving the flow of traffic through a stack that allows you to do analytics. You’re looking for things like insider threats. TIC and zero trust can coexist. For example, a person completes MFA, but now they’re trying to export a whole bunch of information. Zero-trust security compliance connects them to the application, while TIC identifies odd behavior or an insider doing something that they’re not supposed to do.
Here’s another example: If I connect to a cloud service that’s running some sort of cloud access security broker (CASB) that’s looking for analytics, that traffic doesn’t need to go through a TIC because the cloud itself can look for weird behavior. But if I have legacy applications where I need to look for that type of behavior, I want to run that traffic through some stacks. I still want zero trust, to know that’s really the user. What we’re really doing in conjunction with the TIC is removing plausible deniability from the user. If they disclose their password, we know it was them because they had to do something else besides put in a username and password.
So, there are three kinds of stacks that you see. The classic HSPD-12, which was kind of monolithic identity proofing and authentication. Then you have the TIC, which is the stack that lets you look for the people that made it through. Zero trust is really a modernization of HSPD-12 that also works in conjunction with the TIC. Solutions like Duo give you flexibility. For example, if you still want to use the classic definition of HSPD-12 and have a common access card (CAC) or personal identity verification (PIV), but now you also want to geo-fence where users are coming from, you could implement Duo into an HSPD-12 and TIC environment and drive a requirement that “only people from North America can use this.”
MeriTalk: In your opinion, what are the biggest obstacles for agencies when trying to adopt zero-trust environments?
Scontras: It’s the inertia of legacy systems and cultures that say, “We’ve always done it this way.” On the industry side, there’s a lot of white noise around what zero trust is, and that can create a lot of confusion. The challenge for a lot of agencies is really understanding what a coherent architecture looks like, and what the pieces are – without getting lost in the white noise.
Wilson: I think it’s so new that people need some guidance, so we just work really hard to be trusted advisors.
MeriTalk: What advice would you give to Federal agencies that are making the shift to zero-trust security models? Any best practices they should follow?
Scontras: The ACT-IAC working group on zero trust has a lot of smart people – including Duo’s own Federal advisory CISO, Sean Frazier – who are working on zero-trust architecture. I think that’s probably the best starting point, as well as NIST policy or guidance. With something like Duo, with every single one of those zero-trust architectures, MFA is a natural requirement. The first thing you do when you wake up in the morning and the last thing you do when you go to bed at night is make sure that the doors and the windows are locked – MFA doesn’t change. Duo is in a fairly unique position in that, while parts of the architecture may change, the access piece is going to be the constant. That’s one of the discussions we have with customers: We will work with the identity and governance pieces, but what you need today is a form of modern MFA. The nice thing about Duo is that we exist in all of those models, and it’s something the agency can implement today while they gradually implement the rest of the zero-trust architecture.
MeriTalk: Anything else you’d like to add?
Scontras: On the IT modernization front, simplicity and cost reduction are critical. There are a lot of players in zero trust and a lot of piece parts to it, but the MFA solution is a constant, and it will evolve as your agency evolves. It’s the foundational piece of zero trust that you can plug all the other pieces into.
Wilson: More and more people are working remotely. A simple, flexible MFA solution – coupled with a solid collaboration platform – will allow organizations to identify and verify their employees no matter where they are and what device they are using, while allowing them to work as they normally do – with scalability and security.
To learn more about Duo’s offerings for government, click here.