Hi, thank you for having me. I'm doing good. It's a nice kind of morning here. Hope everybody's doing okay over there.
Yeah, we are doing well too. Thank you very much. And with that, feel free to start Scott.
All right. Like I said, my name is Scott Rose. I'm from the I'm from N or the national Institute of standards and technology. And to that, we also have a different research and development, federally funded lab called the national cybersecurity center of excellence. I'm not directly associated with them, but I do a lot of work with them and N does kind of fund them. And it is kind of a part of N and they're doing a lot of kind of lab work.
It's kind of a public private partnership, and I'll be talking a little bit about how they're extending some of the things that we wrote about, about zero trust and zero trust architectures into kind of a more practical kind of demonstration project. So first I'm gonna go through how we at N and kind of an extension, kinda the federal government, we're kind of zeroing on like, what are, what is zero trust, where the principles involved.
And that's kind of how we kind of think about it is more of like, it's a set of principles.
There isn't a single architecture, it isn't a single solution, but kind of a, a way of thinking a way of planning an architecture and doing, doing, setting up your it infrastructure. And then I'm gonna focus on what we're calling the enhanced identity approach, cuz this is, this whole conference is about identity and we're calling it enhanced identity governance or enhanced identity, kind of a as a separate kind of model of zero trust that you kind of see, especially some organizations moving to either as a first attempt or kind of as their ultimate goal.
And then kind of what are some of the issues around that and kind of like how we're doing further work in that space.
So first off, you know, for those who have no, what is zero trust? You've probably been hearing it a lot today and everywhere else we're calling it, you know, zero trust architecture, it's a set of principles, kind of like how you define your architecture.
It's, it's a set of, you know, kind of rules and tenants. We're calling them the tenants about the people calling the principles that to, to kind of like develop an architecture in which you can execute in which you can say you have a zero trust architecture and an enterprise that has a zero trust architecture could be called a zero trust enterprise. These kind of set of standard terms are kind of one of the was kind of the step zero. And when we were developing the N special publication, 800 dash 2 0 7 0 trust architecture because years ago, or about like two years ago, I wanna say maybe more.
There's a group called the federal CIO council. Now this is a group of all the CIOs from D from federal agencies.
They were, you know, hearing about zero trust. They wanted to know more and they wanted to know if this whole concept of zero trust could aid federal agencies in improving their cybersecurity posture. So they kind of tasked missed and to develop this kind of conceptual framework document, the goal of this is that it's not a standard.
So it's, you know, even though we are the national Institute of standards and technology, this particular document is not a standard or it's, it's, it's more of like a, like I said, we, we're trying to call it a conceptual framework where to add agencies specifically, but private industry as well to give them a common set of terms and principles that when they talk about zero trust amongst themselves and among internally or to other agencies or in procurement, they have a set of common terms, understandings of about what, what they mean when they say zero trust or the various roles and components involved in zero trust or these kind of deployment patterns or things like that.
So just kind of give them an idea to, to like how they should, you know, talk and discuss about zero trust to make it understood across a community. But in, in a nutshell, like when we say with zero trust down at the bottom, you see, you know, a subject or some simple host, it goes through kind of a, a policy enforcement point and a policy decision point about whether or not access is granted to a resource. And the whole goal of zero trust is to shrink that implicit trust zone to make it as small as possible. Ideally just encompassing that single resource.
In other words, you can't, any system can never reach any kind of resource, you know, enterprise owned resource without first going through that policy enforcement point. And then, you know, the, the subsequent policy decision point, that's actually making that access request decision either, you know, yay or nay.
The idea is that at this spy enforcement point, that is where things are checked.
You know, is it the right, you know, authentication checks, authorization checks, device, health checks, you know, environmental checks, is it coming from the right network, right time of day? Is it following in the right behavioral pattern, those sort of things. All those happens at the, at the pep, but you know, we kind of boil down zero trust in a set of principles. I'm not gonna list all the principles here, cause it would just be a wall of text.
But the idea that can be broken down into three kind of categories, one that are focused on users, one are focused on devices and some are focused on kinda like the network or, or, or data movement, data workflows. And for users, you know, all a authentication and authorization is kind of dynamic and strictly enforced.
It's just because you have access to a particular resource does not mean you have access to every other resource that the enterprise owns or even, or even that you have access to that particular resource in this given situation.
It could be that you're accessing it from a different endpoint or device that it may be as a little out of date hasn't been patched or accessing outside of normal work hours or from another network that you normally don't access these, these resources from. And also this is granted per session. Ideally you could even say in zero trust, we granted per action. You can almost look at, you could boil zero trust down to kinda almost at the API level, almost like a rest API where individuals could have access to maybe to read a resource, but not to write or something like that.
But also when you talk about identity, you also gotta remember there's devices.
And so in, in the, the N view of zero trust in the special publication, we're computing, we're like all resources we're considering are important in zero trust. That means all endpoints, all instances, all virtual instances, containers, possibly IOT devices, compute resources, you know, all these are considered, you know, computed resources.
It's not just focusing on the data, but also on the application itself, you know, any other kind of input and actuators, and even maybe network segments, maybe going down to that level, but all these are important to the enterprise and they need to be considered and, and accounted for in zero trust. But, you know, drilling down into identity. What do we mean when we say identity? Cuz you know, there's, there's, there has been the statement you probably floating around about identity is zero trust or you know, identity based perimeter or something like that.
We're considering it part of zero trust. It's not the whole much like cloud.
You can, you know, cloud really does support zero trust and it's kind of a driver for zero trust, but it is not the end. You know, you can actually do zero trust in a non-cloud world. It's not ideal, but it can be done. But what do we saw? What are we talking about when we talk about identity, we're really talking about network identity.
You know, that is, you know, user at some domain, this includes human and non-human and also human can have multiple network identities or there could be a single network identity that multiple people use multiple employees kind of like an admin account or something like that. And that each identity could have different roles or attributes. We're not making a, a simple statement on either one cuz actually zero trust.
Doesn't, you know, it's kind of agnostic in that respect. You can actually do it either way, but there is some sort of that kind of either a role based or attribute based part where they're granted as needed and revoked. And so yeah, actually have this kind of like least privilege in zero trust and also kind of boils down to devices as well.
You know, hopefully in an ideal world, every iden, every device, you know, IOT device or whatever has a unique logical and physical identity. If you look at something like Fort, you got the 1 0 8 0 2, 1 AR that is a standard coming out or standard that is out that it's a certificate based. So every IOT device it's focused on, I has something called an I dev ID cert. And that is a certificate that is generated by the manufacturer and stored on the device.
And it's very long lived, you know, almost beyond the lifetime, the expected lifetime of that device, but that does require that the device, the IOT device in question has like kind of a trust store, you know, can actually have a trusted hardware or a T TPM chip or something like that.
And that gets expensive, but you can kind of think that in, in some worlds you may want that for some classes of IOT devices that are, you know, doing a sensitive mission, whereas others, you may not care.
And so you may be in a mixed world where some of these have the, you know, the I ID certs and some don't, but the ideal was you wanna use these certificates in order to, to segregate devices or differentiate them. You can tell which ones are patched and which aren't down to the individual devices and not rely on something that can be spoofed like a Mac address or something like that again. But you know, zero trust is really, again, just part of a, of a much larger whole.
And then we're calling kind like the model where this identity kind of is we're sometimes calling like the load bearing, you know, I think of a house, you know, zero trust is kind of a, you see some models where it's shown as kind of a, kind of a, a Greco Roman temple where it's all these pillars on a foundation identity is kinda like in enhanced identity governance model.
This is kind of like, that's the load bearing pillar of the whole structure, where you're putting more your emphasis on your identity governance and your architecture.
And that's what that's, that's what we mean when we say that we're actually boiled it down to three different models, there's enhanced identity governance, micro segmentation, and what we're calling software defined perimeter or SDP. Those are usually kind of your software defined networking solutions and micro segmentation based again is, you know, segmenting the network down to individual micro perimeters around resources, ideally.
So, you know, all these solutions are incomplete on their own kind of an ideal zero trust architecture you'd have elements of all three, you would have an enhanced identity governance, you know, regime in place. You would have micro segmentation on your network. You'd have software defined perimeters for your cloud instances and things like that.
So there'd be elements of all three, but often this enhanced identity governance approach is often kind of the first step we've seen in some places, because it's usually the, I wouldn't say the easiest, but it's one, that's the, the easiest to get their hands on.
For instance, you know, the, one of the first steps is kind of consolidating your identity stores, where you may have different applications, keep maintaining identity amongst themselves. But instead you want to move to kind of a single sign on or you wanna implement multifactor authentication.
All these are concrete steps that are kind of seen as you know, early wins for kind of a zero trust. I mean, enrolling kind of a, one of those endpoint detection and protection programs that an enterprise could be costly and had to buy a whole bunch of new equipment. A lot of the enhanced identity governance solutions out there are more software based. Of course you can go the, the full route and start talking about hardware tokens. For example, in the federal government, every employee has issued a smart card with certificates on them.
And we use that for multifactor now where they're, we're using that for multifactor for all resources that depends on the agencies. Some agencies are more mature and some aren't, but there's been a huge drive, especially with zero trust coming out to kind of push that across agencies and, and have multifactor being, you know, used primarily and to kind of get rid of all these cases where it's just a username and password, but we wanna move to this factor is multifactor kind of rolled.
And so taking it the step further into the, the special publication we have, you know, figure two, which is kind of famous in there and it's kind of the abstract architecture. And here I kind of, you know, kind of grade out some of the parts that maybe not as, as impressive in an enhanced identity world. So this is kinda like the first step, but they are still there.
So I kind of graded out and again, the very bottom here and the data plane in a zero trust you segment your network from a control plane in a data plane control plane is the, the, the network used to actually architect and, and maintain the network itself. And all the, the policy enforcement points, the data plane is the, the, the plane used to for application data. So that's where the actual, you know, users actually, or other services contacting the resource and actually doing work here.
We've kind of, so we've broken out those planes, we've broken out the roles.
The policy enforcement point is different than what we're calling the policy and decision point, which actually is made up of the policy engine and policy administrator. Those are two separate components in zero trust as we're calling it again, but, you know, shorthand think of the policy engine as the brain, that's the one making the actual access decision, yay or nay, am I going to allow this connection or not? And the policy administrator is the kind of the enforcement arm it's actually executing that decision.
It's either setting up that connection or tearing it down, you know, as, as ordered by the policy engine and the policy enforcement points are those components that actually are setting it up, right? They're the ones that they're either an agent that's located on the device or some sort of Porwal web gateway or smart switch in front.
Those are the actual, you know, components used to actually set up the connection. That's what the traffic is going through all the, the data plane traffic.
But again, you have the subject going through a policy enforcement point to get to the resource. Now, all those, those boxes on the left and right, these are all the data feeds. That's helping the policy engine make that decision. So you have, you know, you have industrial compliance, which sometimes is present, depending on the industry. You got things like, you know, PCI in the United States, there's HIPAA for health information, privacy, you know, there may be other kind of either financial industries or healthcare industries. They all have some sort of regulations that they need to do.
And that's where those policy rules come in, activity logs for behavioral and zero trust.
There's Mo there's kind of a, a theme or a move to not just, you know, detect, you know, the health of the device or the authentication and the multifactor of the actual individual user and network identity, but also looking at historic access patterns that to determine that as input into, you know, should these new access be granted, you know, if you gotta think of a scenario where in an average day, you may see somebody accessing some, you know, a database and, and doing, you know, in the order of like five megs of transaction of data transactions in a single day, suddenly that jumps up to 80 gigs or something like that, you know, that, that could set off a red flag and those accesses could be then denied, cuz it could be that those are subverted accounts.
You have an insider threat or something like that, you know, zero just kind of built upon that as also part of the enhanced identity as whether, you know, this kind of historical behavior access of access policy. And then you have, you know, policy itself and I identity management, you know, hopefully that is again a single source. You're not, you're relying on kind of a one single identity store.
And before you actually, you know, grant all these PKI that again, I kind of grade that out because sometimes it's present. Sometimes it's not, it's not mandatory.
You could think of a zero trust architecture that doesn't require a PKI, but again, it's usually there in some fashion, you know, you know, think of a, not always as a kind of an X 5 0 9 certificate based P but again, you know, there there's, there could be somewhere there's public keys and there's some sort of structure that allows them to be distributed and maintained, you know, by definition that's a public key infrastructure doesn't necessarily always mean it has to be an X 5 0 9 certificate, but what are some of the issues?
Again, some of the things that we're looking at again, we described in the special publication and some of the things that also we're looking in the follow on project, the demonstration project at the national cybersecurity center of excellence are kind of what are these kind of use cases and scenarios.
So you gotta think like on the rights we kind of, you know, this is like a typical enterprise. You've gotta enterprise HQ where some people are OnPrem, you have remote workers, you may have a branch office, or this is kind of a newly acquired group and they have cloud services.
You know, what is the difference between an employee accessing resources versus a contractor? And you gotta think there might be some others and some places you have dependence, you know, the families of, of employees may have certain rights. Certain customers may have certain accesses that are beyond just normal retail, like, or I'm just, you know, I have to provide my network identity in order to purchase something online. Maybe something beyond that, you know, maintaining kind of a service account or something like that. Is it something different between, you know, on-prem versus cloud?
You know, what, what, what are those kind of issues involved?
How are we going to do that?
And one sticking point that's, you know, kind of comes up a lot is kind of a, how do we form a coalition or, or some cross collaboration, you know, traditionally it's like I issue new credentials and it's almost like a contractor like scenario, but then you gotta think of some places where like, kind of in the military or law enforcement or government where people from different agencies come together, they may have a federated identity, which is, you know, can be leveraged in the solutions, but also there's sometimes difference in data attributes due to access attributes or data classification issues that then kind of bubble up.
And is there some sort of way of kind of maybe standardizing that either within a community or overall in order to say, when you join this coalition saying, here are the people that are going to be, you know, here's the network identities say people that are gonna be participating in this coalition and here's the attributes we've granted them.
And this is what they mean. This is how we do that. And therefore you can easily mesh with the resources that the other enterprise is providing in the words we're getting, you know, we're going together.
There's always gonna be one that kind of like hosting group enterprise, that's providing some of these resources and other members of the coalition that are gonna be accessing them. How do we do that in an easy way that we can, you know, instead of having to reissue credentials and attributes to everybody and that everybody having to juggle multiple network identities to remember what access, you know, what resources they're trying to access at a given time.
But so to kind of wrap up, like I said, there is a demonstration going project going on down there at the, the URL and the, the left, the NNC C U E dot.gov. If you do there and do a search for zero trust architecture, they will bring up kind of the, the project description, as well as the current members.
Again, this is a private public partnership. So there are private industry vendors that participate. There's the current list. You'll notice some of them are kind of these kind of identity providers and identity governance solutions providers, because that is actually kind of the, the re the kind, the model we're going. You gotta think of a, we're kind of doing it as kind of a brown field.
If that's kind of a narrative, if you want to describe it that way, where an enterprise is moving towards a zero trusts architecture, and we're following the pattern that we followed in the, in the, the guide where the first step is kind of this enhanced identity governance model.
And those are kind of like the builds we're gonna be looking at first and the scenarios we're gonna be looking at first. And then we're gonna drill down deeper into kind of like a, a micro segmentation and software defined perimeter model with the enhanced identity still in place.
The idea is to get kind of a further along into a more mature, I guess you could say zero trust architecture, but again, if you're more interested, you can go to that website. There is a community of interest, which is an email list that you can sign up for as well as you could follow, you know, NS on Twitter. And the course learning kind of announcements are made with both new publications or activity going on at the, at the national center for cybersecurity center of excellence. That's where those will be done.
That's how you can learn more about what's going on in our kind of zero trust project. So that's kind of all I have. I'm always interested.
I really, in questions, I don't know how we do this kind of virtually, but please, if you have any questions, let me know.