Symposium charts progress to zero-trust cybersecurity
From April 4 to 5, more than 1300 cybersecurity experts and practitioners gathered virtually for the inaugural Zero Trust Symposium. The event was sponsored and co-hosted by MIT Lincoln Laboratory, the Defense Acquisition University (DAU), and the Department of Defense (DoD) Zero Trust Portfolio Management Office.
In recent years, the concept of a zero-trust framework has gained considerable footing in the cybersecurity world. As the name implies, zero trust means never implicitly trusting a device or user, even if they are already inside of an organization's network. In this framework, a user and their device are continuously monitored and only granted privileges to access applications and data essential to their job.
"Zero trust is an improvement over prior cybersecurity paradigms. Prior models were flawed because they assumed that cyber threats could be kept out of systems and did not holistically apply important security principles understood for over 40 years," said Jeff Gottschalk, a leader of zero-trust research at Lincoln Laboratory, during his opening keynote.
Indeed, zero-trust concepts are a departure from traditional network security, which for years has treated a network like a "castle and moat" — once inside the moat, users are often allowed wide-reaching access. The approach put organizations at risk from malicious insiders or accounts that had their credentials hacked.
This type of vulnerability has opened the door to many high-profile data breaches in recent years, including the 2015 Office of Personnel Management breach in which attackers stole 22.1 million government personnel records.
As a response to the increasing number of breaches, in May 2021 the Biden administration issued an executive order mandating U.S. federal agencies to implement zero-trust security. Since then, the DoD has published guidance, held trainings, and set a strategy to have a zero-trust model enacted across the department by 2027. Their strategy identifies seven pillars to support zero trust, each broken down further into specific capabilities.
Several leaders in the DoD Zero Trust Portfolio Management Office (ZT PfMO), which formed last year, shared their insights into the process during the symposium.
"Our role is to share lessons learned and enable zero trust for others," said Colonel Gary Kipe, who is the deputy director of the ZT PfMO. "We all use the same internet, and even within a DoD framework, much of it's the same data. My goal is to help all of us understand what the DoD is doing for the purpose of making all of us better, to include industry engagement and training."
In his talk, Kipe talked about how there is no one-size-fits-all approach to zero trust — despite what vendors may pitch. "Zero trust is not something you buy, no matter how shiny or robust; we are moving away from the old framework of building things to protect us and applying a better strategy of wisdom and an integrated approach of not trusting users or devices just because they are on our network. This implies a huge cultural shift, and that can’t be overstated."
This cultural shift was emphasized by Tim Denman, who serves as the DAU Cybersecurity Learning Director and just finished a rotational assignment with the ZT PfMO, where he developed a zero-trust training plan for the next several years. "We have a really good strategy, but if we don't address the culture, then culture is going to eat that strategy," said Denman, who co-organized the symposium as one way to help progress cultural adoption of zero-trust principles. Denman brought symposium attendees through an overview of his training program, which comprises three levels and is aimed to reach all 4.8 million members of the DoD.
The Honorable John Sherman, the DoD Chief Information Officer, backed up the importance of this change. "This is a cultural change and needs to be a leadership priority," Sherman said. "We can't operate the way we have and expect to defend the way we have in today's environment. We realize that our systems everyday are being attacked, and data is being attempted to be traded; we have ransomware and bad actors. That’s the 'why' of zero trust. It's not a new concept, but it's a new practice for us and we are serious about it."
As federal agencies pursue zero-trust strategies, Lincoln Laboratory has been studying real-world implementations and consulting with the government. Karen Uttecht, technical staff in the Laboratory's Cyber Operations and Analysis Technology Group, presented findings from their studies.
"We've learned that zero trust can't be implemented overnight, but we can leverage a lot of the existing infrastructure; it doesn’t all have to be brand new. Also, consider how you can make incremental improvements to reduce your risk sooner," Uttecht said. She discussed zero-trust successes from Netflix and a small federal government organization. Some aspects of Netflix's strategies were to deprivilege users, periodically revoke privileges to force renewal requests, and use the cloud to mitigate security risks and costs. The small government organization, with a limited budget, met many of their goals through policy shifts, such as not allowing personal web access on the business internet, in addition to technology changes.
John Kindervag, who first coined the term "zero trust" when he created this model in 2010, spoke to attendees about how zero trust is the "world's only cybersecurity strategy" and is key to winning the cyber war. "We are all fighting the same set of adversaries, and that's because we are all directly connected to the internet."
He also clarified the basic concepts of zero trust. "I am not saying people are untrustworthy; I am saying people are not packets. The idea that John is on the network — I'm not; I'm in my house and I haven’t shrunken down into a subatomic particle. Let's not conflate the idea of human beings and packets,” he said.
By the end of the two-day symposium, attendees heard from more than 40 presenters, including four discussion panels, representing the DoD, industry, federally funded research and development centers, and universities.
According to Randy Resnick, who serves as the director of the ZT PfMO, the event represented "a strong step towards acceptance of a new cybersecurity paradigm."
The Zero Trust Symposium presentations are available for viewing on the DAU media page.
Inquiries: contact Kylie Foy.