Implementing Zero Trust Strategy

Introduction to securing data with Zero Trust principles in cloud environments.

Zero Trust is a cybersecurity framework developed by the Department of Defense (DoD) to help organizations achieve cyber resiliency. However, many organizations find it challenging to implement a Zero Trust strategy. It is essential to recognize that Zero Trust is an ongoing process rather than a one-time product. Understanding its key tenets and how they can be mapped to core solutions is crucial for successful implementation.

This document outlines an approach to implementing Zero Trust, providing a defensible framework and practical applications for creating a comprehensive solution stack.

Data encryption

• All data at rest and in transit should be encrypted

Least privilege access

• Only authorized users should have access to sensitive data

Least privilege access

• Know where your data comes from and where it goes

• Microsegment at the data record level

Continuous validation

• Validate user access and data integrity continuously

  Continuous validation

The President's Executive Order on Improving the Nation's Cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8) mandate that Federal Civilian Executive Branch (FCEB) agencies and National Security Systems (NSS) owners and operators develop and implement plans for adopting a Zero Trust (ZT) cybersecurity framework. The goal of ZT implementation is to continually enhance cybersecurity protections, responses, and operations over time. Advancing capabilities in each of the seven ZT pillars should be viewed as a cycle of continuous improvement, driven by threat evaluation and monitoring. Figure 1 illustrates these ZT pillars, including the device pillar. The detailed capabilities and milestones for the device pillar within the ZT maturity model are elaborated throughout this document. Although depicted separately, the pillars are interconnected; many capabilities within the device pillar depend on or align with those in other pillars, as indicated.

The ZT security model is best illustrated as seven pillars that together comprise the complete cybersecurity posture. The seven pillars are:

• User

• Device

• Network & Environment

• Application & Workload

• Data

• Automation & Orchestration

• Visibility & Analytics

Having examined the pillars and their requirements, XQ has identified key solutions for each pillar.

• User

  • Microsoft Identity Manager

  • okta

  • netskope

• Device

  • Crowdstrike

• Network & Environment

  • Palo Alto

  • ZScalar

• Application & Workload

  • Snowflake

  • VM Ware

• Data

  • XQ is there only commercially available, patented solution that meets all seven of the DoD requirements for Zero Trust Data

• Automation & Orchestration

  • AWS

• Visibility & Analytics

  • Splunk

  • AWS

XQ Message Implementation

4.1 Data Catalog Risk Assessment

Inventory of encrypted assets.

Fully decentralized architecture enables policies to be matched to risk/clearance of project.

4.2 DoD Enterprise Data Governance

Wholistic data-centric data access monitoring at the data level that extends outside environment boundaries.

Real-time monitoring of creation-movement-access of protected data.

4.3 Data Labeling & Tagging

Auto-tag and label data based on attributes, geography or roles set in policies.

Every block of encrypted data is identified by the unique tag generated using quantum entropy.

4.4 Data Monitoring & Sensing

Data exfiltration monitoring.

Agents track the location of data as it is accessed and report back to the policy server. 

4.5 Data Encryption & Management

Each data object has its own unique quantum seeded key to prevent lateral movement.

Crypto agile encryption enables different algorithms based on risk (post-quantum) or data type (voice, video, data).

4.6 Data Loss Prevention (DLP)

Zero Trust Data applies role-based access control (RBAC) and Attribute-based access control (ABAC) applied to data adds a necessary external control channel.

Content is scanned during encryption process to reduce risk of data leakage.

4.7 Data Access Control

Coalition data sharing 

Access to protected data is only allowed after policy verification: identity, location, token, time, server type.

Data Integrity in Zero Trust Architecture

Zero Trust is a process more than a product. Therefore it helps to have a framework so that progress can be tracked and goals appointed. The Nist Framework and by extension, the CMMC Level 2 controls list, provide an excellent guide to mature a Zero Trust Posture.

NIST as an implementation Framework

National Institute of Standards and Technology (NIST) Special Publication 800-207 has laid out a comprehensive set of zero trust principles and referenced zero trust architectures (ZTA) for turning those concepts into reality. 

“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." 

The NIST SP 800-171 publication outlines requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It is often referenced in contracts with the U.S. government.

.

NIST Recommends a 7-step Process to Establish a Cybersecurity Program:

• Prioritize and Scope.

• Orient.

• Create a Current Profile.

• Conduct a Risk Assessment.

• Create a Target Profile.

• Determine, Analyze and Prioritize Gaps.

• Implement Action Plan.

Define Zero Trust Goals

Determine the key goals and outcomes you want to achieve from adopting zero trust, such as improving security, reducing risk, or enabling remote access.

Assess Current Infrastructure

Take an inventory of all assets, users, devices, and data flows across your IT environment to understand gaps and priorities.

Establish Zero Trust Policies

Define granular access policies based on least privilege principles and multi-factor authentication for all users and devices.

Segment the Network & Data

Architect network & data segmentation, microperimeters, and private access to limit lateral movement and isolate critical assets.

Continuous Monitoring

Implement continuous monitoring across all assets and users to maintain visibility and quickly detect threats.

NIST has 110 Controls

Consult the official NIST Controls spreadsheet for an in-depth reference.

NIST Categories

NIST’s 110 controls and 320 objectives break down into the following categories

1. Access controls

2. Awareness and training

3. Auditing and accountability

4. Configuration management

5. Identification and authentication

6. Incident response

7. Maintenance

8. Media protection

9. Personnel security

10. Physical protection

11. Risk assessment

12. Security assessment

13. System and communications protection

14. System and information integrity

Identify Domain Solutions

• For each domain, identify a key partner

Prioritize

• Data, network, identity are good places to start

Automated Governance and Continuous Monitoring

• Regularly monitor network activity

• Quickly detect and respond to security incidents
  

1. Define and Classify CUI (Controlled Unclassified Information)

2. Implement a Least Privilege Model

3. Audits and Alerts for Changes in CUI

4. Verification of Access Changes

Define and Classify CUI (Controlled Unclassified Information)

Definition: Controlled Unclassified Information (CUI) refers to information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified under Executive Order 13526 (Classified National Security Information) or the Atomic Energy Act, as amended.

Classification: CUI is categorized into various subtypes based on the nature of the information and the specific laws or regulations governing its protection. These subtypes can include:

1. Privacy Information: Personal data must be protected to prevent unauthorized disclosure.

2. Proprietary Business Information: Sensitive business data that, if disclosed, could harm the business's competitive position.

3. Law Enforcement Information: Data related to law enforcement activities that require protection to ensure operational effectiveness.

4. Critical Infrastructure Information: Information about physical or cyber systems essential to the country's security and public welfare.

5. Export Control Information: Technical data or software that requires protection to comply with export control regulations.

Organizations handling CUI must ensure that it is appropriately marked and handled according to the requirements set by the National Archives and Records Administration (NARA) and other relevant authorities.

Implement a Least Privilege Model

Definition: The least privilege model is a security concept and practice in which users are granted the minimum levels of access—or permissions—needed to perform their job functions. This principle aims to reduce the risk of unauthorized access and limit potential damage in case of a security breach.

Implementation Steps:

1. Identify Roles and Responsibilities: Define and document the roles within the organization and the specific access requirements for each role.

2. Access Control Policies: Develop and enforce access control policies that assign users the minimum necessary permissions based on their roles.

3. Regular Review and Adjustment: Periodically review and adjust access rights as roles and responsibilities change or as part of routine security audits.

4. Automated Provisioning: Utilize automated tools to manage and enforce access controls, ensuring consistency and reducing the potential for human error.

5. User Training and Awareness: Educate users about the importance of adhering to the principle of least privilege and the implications of access misuse.

Audits and Alerts for Changes in CUI

Definition: Audits and alerts for changes in CUI involve continuous monitoring and logging of access and modifications to CUI and generating alerts when unauthorized or suspicious activities are detected. This helps to ensure the integrity and confidentiality of CUI.

Components:

1. Logging: Implement comprehensive logging mechanisms to record all CUI access attempts, modifications, and transfers.

2. Audit Trails: Maintain detailed audit trails that can be reviewed to detect and analyze any unauthorized access or changes to CUI.

3. Automated Alerts: Set up automated alert systems that notify security personnel of any anomalies or potential security incidents involving CUI.

4. Regular Audits: Conduct regular audits to review logs and audit trails, ensure compliance with security policies, and identify areas for improvement.

5. Incident Response: Establish and maintain an incident response plan to promptly address and mitigate any security incidents involving CUI.

Verification of Access Changes

Definition: Verifying access changes involves validating and confirming that any modifications to user access rights are authorized, properly documented, and in compliance with the organization's security policies.

Processes:

1. Change Request Documentation: Implement a formal process for documenting requests for access changes, including justification, approvals, and requestor details.

2. Approval Workflow: Establish a workflow for access change requests that require multiple levels of authorization, ensuring that changes are properly vetted.

3. Verification Checks: Conduct verification checks post-implementation to ensure the changes were executed correctly and aligned with the approved request.

4. Periodic Review: Perform periodic access rights reviews to verify that they remain appropriate and that any changes are justified.

5. Audit Trails: Maintain audit trails of all access changes, including the request, approval, and implementation stages, to provide a comprehensive record for security and compliance purposes.

By addressing these components, organizations can enhance their security posture and ensure that CUI is adequately protected.

1. Define goals

   What should your top three objectives be? Where to start to lay a solid groundwork? Three pillars offer the most coverage for Zero Trust.

1. Zero Trust Data

2. Zero Trust Network

3. Zero Trust Identity

By starting with Data, Network and Identity you cover the most objectives and can begin to manage and evaluate your security profile.

2. Internal Assessment

Download the 110 controls and see how they map to XQ capabilities.

Use this document to build your compliance profile and create an SPRS score.

A Supplier Risk Score (SPRS) is a number that indicates a defense contractor's compliance with the 110 security controls in NIST SP 800-171. The score is based on three years of supplier performance information (PI) data and ten risk factors, and ranges from +110 to -203. A perfect score of 110 reflects full compliance, while points are subtracted for each unmet requirement.

3. Strategy Plan 

It takes a village to implement and maintain Zero Trust. Gather your resources and stake holders and start formulating your remediation plan.

If you need help, just ask XQ!

Request the XQ Shared Responsibility Matrix to see our direct mapping to NIST controls.