Latest government tech standards highlight zero trust concepts

Adobe and Zscaler have collaborated to better assist customers dealing with the virtual workforce, with a more modern, mobile, comprehensive solution across cloud and on-premise environments.

Image source: Adobe Stock.

Organizations have made significant progress in heightening their cybersecurity posture over the years — but need to constantly evolve to outpace potential adversaries. We have seen this is especially true during the pandemic, as organizations have shifted completely to virtual modes of work, threats continue to rise, which requires security teams to continuing protecting employees as they work from home while continuing to help shield environments in both public and private sectors.

In my role at Adobe, I speak with Federal CIOs and CISOs on a regular basis and most conversations center around how the integration with cybersecurity initiatives such as Continuous Diagnostics and Monitoring (CDM) Phase 3 & 4 and Trusted Internet Connection (TIC) 3.0, Safeguarding Supply Chain Information, Cybersecurity Maturity Model (CMMC) and FedRAMP reciprocity can help extend security in this new environment. Security leaders in private and public sectors must continue to build a Defense-in-Depth approach, and adopt a security strategy that aligns with and even goes beyond baseline compliance requirements to help protect against emerging threats such as supply chain attacks.

Within these industry standards, we have found that most reference implementing a zero-trust architecture (ZTA) as a best practice to enable a powerful security maturity evolution. If you are in the Federal government, a good place to begin is the CDM and TIC 3.0 programs from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

What does Zero Trust mean for federal frameworks?

Both TIC 3.0 and CDM are underpinned by research from the National Institute of Standards and Technology (NIST), which has recently released NIST SP 800-207. This document provides a framework for incorporating ZTA principles and technologies into your environment.

CDM is in Phase 3 now and will soon enter Phase 4. Phase 3 includes detection capabilities that are intended to assess agency network activity and identify anomalies that may indicate a compromise. Phase 4 intends to provide tools to protect data at rest, in transit, and in use — help prevent loss of data — and manage and mitigate potential data breaches. The Office of Management and Budget (OMB) recommends DHS look at technologies such as Digital Rights Management (DRM). A key tenet of Zero Trust implementation is to be able to persistently control access to assets by dynamically authorizing user permissions at the time of opening. Agencies can use DRM to protect high value assets (documents and content) and as more agencies continue their move to the cloud and new attack vectors emerge, the TIC and CDM guidelines complement each other to provide comprehensive cybersecurity best practices blueprint.

“The traditional networking compass is broken,” declared Sean Connelly, CISA’s TIC Program Manager and Senior Cybersecurity Architect, at MeriTalk’s virtual TIC Talks event. The TIC initiative was originally established among the OMB, DHS CISA, and the General Services Administration (GSA) to maintain federal network security by securing traffic at the physical agency network perimeter through a traditional TIC access point, deployed under the National Cybersecurity Protection System (NCPS) program, for visibility and control. The Department of Defense (DoD) has a similar approach — however, the .gov and .mil information technology landscape has shifted markedly in the decade since the TIC program’s initiation. The use of remote VPNs and backhauling, routing traffic through a limited number of agency-owned or service provider-maintained access points and perimeter security devices, has made the traditional TIC model untenable in today’s multi-cloud, on-premise, and work-from-anywhere environments.

With TIC 3.0, organizations can further advance their networking from a hub-and-spoke architecture — where most local traffic is sent to a central location for security inspection before delivery to its final destination — to a software-defined perimeter architecture that allows for real-time customization based on changing mission and user requirements. Furthermore, organizations can leverage commercial internet circuits to send data, which results in significant operational and cost efficiencies. Tony Summerlin, Senior Strategic Adviser, Federal Communications Commission (FCC) talks about how the FCC secures access to their SaaS applications and open internet, while saving 70 percent by reducing the use of VPN and TIC 2.0.

Under TIC 3.0, organizations can assign dynamic, flexible security “zones” with varying degrees of trust. However, with TIC 3.0 in combination with DRM, organizations may be able to simplify even further. With DRM, organizations can persistently protect information with encryption at the file format level and enforce dynamic authorizations to already-distributed content (such as Adobe PDF or Microsoft Word, Excel, and PowerPoint documents), regardless of their location.

These concepts introduce a solid technical foundation based on standards and provide a baseline for use cases in accordance with OMB Memorandum M-19-26. By leveraging advances in technology, teams can find innovative ways to better secure federal data, networks, and boundaries while providing visibility into agency traffic, particularly for cloud communications. So how do you get started?

An opportunity to modernize security

As the pandemic has caused many organizations to accelerate their digital and cybersecurity transformation, it may be time to decouple network access from application and data access, using comprehensive context-based policies. In the past, you had to be on the local network to get security protections, leaving applications and data wide open. But, by decoupling the three, you can gain better control over each layer regardless of where your users reside. Most organizations’ use cases fall into following the three categories:

• Further Secure the Workforce —Deliver a productive and secured work-from-home or telework experience by securely connecting trusted internal applications and protecting high-value assets (HVA), without requiring a heavy, often slower VPN connection.
• Enhance Protection for Apps and Data — Make it easier to go beyond domain-level “allow/block” permissions to create and enforce granular, context-based policies across popular websites, applications, and content.
• Safeguard Supply Chain Information — Help provide secure access between the user — employee, third-party partner, or contractor — and authorized enterprise applications, content, and data, in support of the Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012 and CMMC.

Rethinking networking and data security

With an new integrated solution from Adobe and Zscaler, organizations can more easily address these use cases and enhance how they see, protect, and control user traffic to the internet by moving to TIC 3.0 and CDM Phase 4 security controls. The goal: helping to ensure rapid remediation on a global scale. This approach offers organizations global internet access and peering with FedRAMP-authorized applications, while persistently protecting content and documents at the data level (at rest as well as in transit) by using dynamic policies and FIPS-140 Suite B Encryption (AES 256-bit), regardless of cloud, on-premise, or desktop environments such as MS Teams.

Enabling Zero Trust by decoupling network, application, and data access

When you create and apply a policy to a file, the information that the file contains is protected by the confidentiality settings that are specified in the policy. You can specify whether recipients can print, copy & paste, or modify the document on the security policy, such that, when a user opens a document, those controls are either disabled or enabled accordingly. When the policy-protected file is distributed, only the recipients who are authorized by the policy can access the file’s contents in a branch office, at home, or in an airport similar to policies you may have in headquarters.

Independent of access restrictions, protected content and documents have version control. After a document or content is shared with other individuals or organizations, it can be revoked — no matter how many copies were made, distributed, or remotely stored. In addition, organizations can capture extensive audit and log data, which can be sent to 3rd party analytic tools, and keep CDM reporting in place, while storing all agency data on U.S. soil with U.S. citizen-only access.

Adobe commitment

COVID-19 is changing everything about life and work as we know it. Adobe and Zscaler have collaborated on this solution to better assist customers dealing with the virtual workforce by providing a more modern, mobile, comprehensive solution across cloud and on-premise environments. Further enhancing security by decoupling network access from application access and data access policies.

In addition to supporting fully on-premise server deployments, Adobe Experience Manager Content Security Solution (Digital Rights Management (DRM) is authorized at FedRAMP Moderate and DoD SRG IL4, supporting CAC/PIV/PKI/SAML authentication, FIPS-140 Suite B encryption, login.gov, username and password, and a variety of file formats/applications out of the box.

Zscaler Private Access is the first and only cloud-native zero trust access service to achieve a JAB FedRAMP High authorization, which conforms to TIC 3.0. Zscaler Internet Access has achieved FedRAMP Moderate authorization and “In Process” status at the High Impact level.

Learn more about Adobe Digital Rights Management here.