There has been a tremendous amount written on Zero Trust, what it is, what it isn’t, and why it’s so hard to simply “just turn on.” Most of these articles focus on identity and authorization and the fact that implicit trust is no longer acceptable. All of which is important and true, but ultimately we need to focus on the dynamic nature of the typical enterprise and how Zero Trust addresses that with AI and ML, combined with automation and orchestration.
Dynamic Agencies Need Dynamic Security
Now more than ever, government enterprises are complex and changing. Users move frequently depending on their role and situation, and work is no longer defined as a physical location but wherever the worker is located. Devices can be a myriad of types, and they can move as often as workers move, leveraging various wireless technologies and networks that the IT department cannot control or secure. Networks themselves no longer have perimeters, and in the process of bringing work to the users have created an everchanging network (and thus, threat) landscape. Even workloads, which used to remain in one place for years in heavily protected data centers also can and will move from cloud to cloud to accommodate business needs.
Simply put, there is nothing static about an agency — so why should security be?
Self-Aware and Self-Healing
The Zero Trust Maturity Model created by DHS Cyber and Infrastructure Security Agency (CISA) was released in the summer 2021 and provided a rational way for government agencies to look at delivering Zero Trust along with a maturity level to help understand where agencies were on that journey. The model, or Foundation of Zero Trust, includes 5 pillars; Identity, Device, Network, Application/workload and Data — all which are underlaid by visibility, analytics, automation, orchestration, and governance. The concept is that over time, security capabilities in each pillar will improve based on the maturity level described in the document, eventually delivering a Zero Trust architecture.
The key to the Zero Trust Maturity Model is the maturity level descriptions, where the true value of Zero Trust is clearly articulated. To achieve maturity, the Zero Trust security model must be intelligent in understanding the current landscape and dynamic in reacting to events impacting the security posture of the environment in real time. In other words, the Zero Trust model must be self-aware and self-healing. Consider a couple examples:
- Your website has been hacked as part of a Halloween prank. With analytics , the website becomes aware of the change, knows that it’s not normal and is automatically remediated to the original view in seconds — with no human intervention.
- An internal application falls out of compliance with the security policy due to a mistake in a normal upgrade. As part of your regular automated assessments, the discrepancy is detected, logged and upgraded to get back into compliance.
- For some unknown reason, an IP security camera installed in a remote building is sending traffic to multiple devices on the network. This behavior is detected as anomalous and the device is instantly quarantined and an alert is sent to the security operations center (SOC) for review.
Self-aware and self-healing is so simple to understand but not so easy to architect. In fact, achieving this automation requires using a variety of technology and capabilities orchestrated precisely and operating in a timely manner:
- Infrastructure instrumentation, and telemetry coming from sensors to provide real time visibility of what is happening.
- Analytics across many tools to decipher what is normal and good vs anomalous and should be acted upon.
- Artificial intelligence and policy engines to make decisions on what should be done to address the situation in the most effective and simple way.
- Configuration and automation tools to actually act on the systems and to address the unwanted behavior in real time while logging and alerting the human overseer.
Tools for Building Zero Trust Maturity
Self-awareness and self-healing is where the industry is focused. Legacy security worked on addressing threats that were known and prevented those threats from impacting systems. We are now working on the 0-day threats, which are inherently unknown by systems and therefore have no known preventions.
Using visibility tools and analytics, anomalies can be detected that may be symptoms of malware or malicious behavior. Working backwards from the symptom, the root cause can be deciphered and thus addressed. Endpoint detect and response (EDR) tools provide that ability on endpoints, while extended detect and response (XDR) tools will leverage telemetry from both endpoints and network or cloud systems to discover anomalies and drive a remediation process. These tools have embedded intelligence via AI systems that aid in providing the response which is executed on by a configuration and orchestration system which may/may not be embedded. These are just two examples of how industry is looking to deliver a self-assessing, self-healing architecture.
As you move towards a mature Zero Trust architecture, look for the tools and technologies that can provide the telemetry, automation and intelligence needed to address anomalies not yet known within your systems.
To learn more about how VMware is helping government agencies better protect their environments, visit: