The zero trust security model is hardly new – it was already a much-discussed evolutionary concept long before the coronavirus pandemic slammed into the nation and U.S. government operations in early March. The talk on zero trust was not if, but when.
But as with many other imperatives in the Federal IT arena since then, what a difference five months makes. The pandemic has brought two factors into sharper focus: the degree to which delivery of citizen services depends on more robust Federal IT architectures, and the need to create more sophisticated defenses against the unrelenting efforts of cyber adversaries trying to exploit the crisis.
We caught up recently with Ralph Kahn, Vice President of Federal at Tanium – which provides endpoint security and systems management services required to execute zero trust security strategies – for a discussion about technology, security in the work-at-home era, and Federal policies that can pave the way for quicker adoption of better security models.
MeriTalk: What’s a good short definition of zero trust?
Kahn: Zero trust is essentially a way that corporations manage technology risk – they look at who’s connecting to networks, what machines are connecting, what resources and applications they want access to, and they make a decision whether or not to allow access.
MeriTalk: And zero trust kind of gets away from the notion of perimeter defense of an on-prem system…?
Kahn: It’s a little bit of a misnomer because it sounds like somehow you’ve created this huge walled garden, and now you’re not trusting anybody on the outside. The reality is corporations have been doing that for a long time as they put up firewalls and they move users to the inside of the walled gardens. Zero trust is just an acknowledgement of the fact that the boundaries have blurred, that a lot of people do work from outside the corporate firewall, but even inside the corporate firewall it’s easy for systems to get out of compliance and for users to potentially attempt to do things they shouldn’t. This is just a different way of saying we want to get this under control, but now we have to get it under control both inside of our network and outside of our network.
To me, the technical difference isn’t really the fact that organizations don’t have to worry about a firewall – they absolutely do. All that network and perimeter defense that they have is still there. The difference is that people who are outside the network core are subject to a more granular risk calculus.
MeriTalk: How does Tanium play in that space?
Kahn: In order to make that risk decision, there are a couple of things that are really, really important. First, you need to have timely and accurate information about the systems that are trying to connect. And you have to understand not only who’s trying to connect, but all the various things that person can do once they have access. Having that gives you a more complete picture and an improved ability to assess the risk of that person connecting from the outside.
Tanium can provide a lot of that data to you, in real time, and very accurately. Many systems today will use data collected in a database that might be a week or two weeks old or otherwise out of date. The data you get from Tanium is in the moment. So when someone tries to connect, you get the latest data in real time on the machine they’re connecting from, the latest information about who they are, where else they might have logins inside the network, other privileges they have, and all of that can then be factored into a risk decision.
For example, a power user might have access to lots of things within the network, but if they’re at their grandparents’ house using 15-year old Windows software, that’s a high risk because there are no more security patches being published for that software. So the company might say I’m going to give you access to your email because you really need to have that and maybe one or two general websites, but I’m not giving you access to the payroll database or your research projects or the shared drives. It’s those kinds of calculations that you can make with zero trust that are especially useful now with the rapid shift to a distributed workforce.
MeriTalk: Are most government agencies ready to implement zero trust now, or do they need to lay additional groundwork for that?
Kahn: The government is not unique in its need to move to zero trust, because of the COVID crisis and the large increase in work from home that has created across the board. Even when agencies have been able to get access to tens of thousands of laptops to enable their employees to work from home and use a corporately controlled device, all of those assets are connecting over very thin pipes to a VPN back to the corporate network. There is a cost-benefit trade off here, meaning that the more traffic you run over the VPN, the more equipment and bandwidth and costs you incur to do it.
One of the things that those VPN networks were not set up to easily do is standard operations management and security operations management. Those tend to be things that are best done over places where there is higher bandwidth. For instance, pushing a patch might not only take a really long time, but might also bring your VPN to its knees if you attempted to patch all of your remote assets. If you were able to do some of that out of band, that would save VPN bandwidth and cost you a lot less money. Many organizations have yet to really take on the challenge of adequately performing IT operations and security operations on the remote assets.
That’s an area that I think the Federal government, along with commercial industry, really needs to focus on. Tanium has helped some customers to do that by creating secure, out-of-band channels that allow them to do management and security operations outside of the VPN but in a secured way.
MeriTalk: Let’s talk about Federal government policy a little bit. From Tanium’s perspective, what could the Office of Management and Budget (OMB) be doing to further promote zero trust within the Federal civilian government?
Kahn: I think OMB needs to shine a bright light on the management and security aspects of work from home, and they need to begin to publish some guidance about how to best mitigate the risks that result from those challenges. I think they need to be able to establish some standards for minimum defensive controls for assets to connect to government networks.
That way, for organizations that can’t afford 50,000 government-furnished laptops, they can enable employees to use their own devices so long as they meet the minimum requirements – but it’s critical that the organization can determine whether an employee is running a reasonably secure home box without infringing upon the restrictions set forth by GDPR and other data privacy regulations. You’d have to abide by these policies as a Federal employee if you’re doing work on your personal computer at home – these are the things you can download, these are the things you can’t, and these are the rights the government has to the information that may be personal and sit on your machine.
MeriTalk: How about on the legislative front?
Kahn: There’s a lot for Congress to consider when it comes to the idea of zero trust. There are significant cost benefits, but there are also significant policy implications to using government-furnished equipment at home, or personal devices including computers, laptops and phones. Those are areas that OMB will look at for guidance, and that Congress needs to look at too. They need metrics, and they need to have minimum standards that people must abide by, and they need to create a mechanism that audits it. We need to apply the same rigor that goes into FITARA to work from home arrangements, and give agencies the tools to execute. Maybe it’s through the Continuous Diagnostics and Mitigation (CDM) program, or maybe through something else.
MeriTalk: Congress often moves much more slowly than OMB, is there anything in particular that would need to be done via legislation that OMB could not do?
Kahn: The move to a distributed workforce is something that Congress and the executive branch are going to have to weigh in on. Is this going to be permanent? Will we go back to the office? In what capacity? There is a significant economic and productivity advantage to work from home. Most people I’ve talked to feel that they are a lot more productive working at home than they were in the office. A lot of that goes counter to previous consensus. One of the things OMB and Congress might think about is how we want to measure and manage productivity for employees when they’re at the office, and if we can do that effectively, how much can we save on the billions of dollars per year we spend on Federal offices? And how much happier employees are working at home – if you’re more productive and your quality of life is better too, that seems like a win-win to me.
MeriTalk: We’re still trying to find the person that misses their commute, but we haven’t been able to yet…
Kahn: For me personally, missing the commute can give me back another hour and a half, two hours per day. If you have that two hours back, you can spend it with your family or give an hour to work and an hour to your family, and you’re more productive, and happier. I think that’s an area where OMB and Congress should really take a pretty deep look. I know a lot of industries have discovered by accident that maybe this work from home thing is not so bad after all.
MeriTalk: How does TIC 3.0 and the recent updates to that policy for telework figure in?
Kahn: My point of view is that TIC 3.0 is a really good concept. I like the idea of trusted internet connections – it’s something that’s been long overdue. It does a good job of setting some areas to look at security objectives and things like that, but I think you need to take it a little bit deeper and look at the people, the actual systems, and where the critical assets are internally.
Who’s connecting, what they’re using to connect, and securing the communications is certainly important, and having policy enforcement in the communication channel is also really important. But you need to get to a more granular level, you need to be able to look at things like risk, and that brings it back around to zero trust.
MeriTalk: If you are the CIO of an “average” Federal agency, is there anything on the policy front that’s stopping you from pursuing a zero trust model? What are the hurdles?
Kahn: I think the issue is that not all agencies have the same kind of resources and capabilities in terms of developing the appropriate policy control technology architecture. So the bigger agencies have an advantage in that they typically have larger staff and more bandwidth to dedicate to it. If OMB did some of that work, they would be able to share it as best practices.
The TIC guidance is pretty detailed from a security and telecommunications perspective, and it maps to the NIST framework, and that’s a good document. But again it misses some of the risk part of “what am I connecting to,” and that’s the part where I think TIC 3.0 and OMB could really expand a bit.