Skip to content

Path to Zero Trust

In today's dynamic digital environment, government agencies face increasingly sophisticated cyber threats. Traditional perimeter-based security models are no longer adequate to protect sensitive data and mission-critical systems. Zero Trust offers a robust, modern alternative, built on the core principle of "never trust, always verify." This article provides a practical, actionable guide to implementing Zero Trust, focusing on key areas and highlighting solutions from our trusted partners: Cisco, HPE, Red Hat, IBM, and Splunk. We will explore each critical realm – User, Device, Application & Workloads, Data, and Network – providing a roadmap for government agencies to strengthen their security posture.

 

 

The User Realm: Establishing Identity as the Foundation

The User realm forms the bedrock of Zero Trust. It centers around verifying the identity of every user attempting to access resources, regardless of location or device. A comprehensive approach involves several key initiatives:

 

User Inventory

A complete, up-to-date user inventory (employees, contractors, guests, etc.) integrated with your Identity and Access Management (IAM) system is crucial. 

A comprehensive user inventory is absolutely fundamental to Zero Trust. It's the "who" in "verify every user and device." You can't secure what you don't know exists. A good user inventory should include:

  • All Users: Employees, contractors, guests, service accounts, etc.
  • User Attributes: Name, department, role, access privileges, device associations, etc.
  • Lifecycle Management: Processes for onboarding, offboarding, and changes in user status.
Integration with Identity Systems: Connecting to existing directories (Active Directory, LDAP, cloud identity providers).

IBM:
  • IBM Security Verify: Verify is IBM's core IAM solution and is crucial for user inventory. It connects to various identity sources, provides user lifecycle management, and allows for detailed user attribute management. It acts as a central repository for user information.
  • Other IBM Tools: IBM's data governance tools can also play a role in ensuring the accuracy and completeness of user data.

Red Hat:

  • Red Hat Identity Manager (IdM): While not as widely known as some of their other products, Red Hat does offer IdM, a centralized identity management solution that can be used for user inventory.
  • Integration with Directory Services: Red Hat Enterprise Linux (RHEL) systems can be integrated with existing directory services (like Active Directory) to pull user information. Ansible can be used to automate user provisioning and management.

Cisco:

  • Cisco ISE (Identity Services Engine): ISE is a key component for user visibility. It can gather information about users and their devices as they connect to the network. This data can be used to build and maintain a user inventory.
  • Cisco Duo: Duo's multi-factor authentication (MFA) often integrates with existing user directories, providing another source of user information.

HPE:

  • HPE Aruba ClearPass: Similar to Cisco ISE, ClearPass provides network access control and can collect user information as users connect to the network. This data can be used for user inventory purposes.
  • Integration Capabilities: HPE solutions can typically integrate with existing directory services for user data.

 

Key Considerations for User Inventory:

  • Centralization: Aim for a single, unified view of all users.
  • Automation: Automate user provisioning, deprovisioning, and updates to reduce errors and improve efficiency.
  • Data Quality: Ensure the user data is accurate and up-to-date.
  • Integration: Connect the user inventory to other security tools (SIEM, SOAR, etc.) to enable automated responses and improve threat detection.

 

Conditional User Access

Implement policies granting access based on factors like user role, location, device, and data sensitivity.

Conditional user access, also known as context-aware access or adaptive access, is a crucial aspect of Zero Trust. It goes beyond simple authentication and authorization by evaluating various factors before granting or denying access to resources. This dynamic approach strengthens security by considering the context of the access request. Key elements of conditional access include:

  • User Identity: Verifying who the user is (using MFA, for example).
  • Device Posture: Checking if the device is compliant (patched, antivirus running, etc.).
  • Location: Considering the user's location (e.g., allowing access only from trusted networks).
  • Time of Day: Restricting access outside of business hours.
  • Application/Data Sensitivity: Applying different access policies based on the sensitivity of the resource being accessed.
  • Risk Assessment: Evaluating the overall risk of the access request based on various factors.

IBM:

  • IBM Security Verify: Verify is central to IBM's conditional access capabilities. It allows you to define policies based on various factors, including user attributes, device posture, location, and risk scores. It integrates with other IBM security tools to provide a comprehensive view of the user and the context of the access request.
  • Integration: IBM solutions often integrate, allowing for more nuanced conditional access. For example, QRadar can provide risk scores that Verify can use in its access policies.

Red Hat:

  • Red Hat Keycloak: Keycloak is an open-source identity and access management solution that can be used for conditional access. It supports various authentication methods and allows you to define access policies based on user roles, groups, and other attributes.
  • Integration with RHEL and Ansible: Red Hat's strength lies in its ecosystem. RHEL provides the secure foundation, and Ansible can automate the enforcement of conditional access policies across the infrastructure.

Cisco:

  • Cisco ISE (Identity Services Engine): ISE is a powerful tool for conditional access. It can gather information about users and devices as they connect to the network and enforce access policies based on this information. It can integrate with other Cisco security products to provide a more holistic view of the access request.
  • Cisco Duo: Duo's MFA capabilities are a key component of conditional access. It can be used to verify the user's identity before granting access.
  • Cisco Secure Access by Umbrella: Umbrella can enforce conditional access policies for cloud applications and internet access.

HPE:

  • HPE Aruba ClearPass: ClearPass is HPE's network access control solution and plays a crucial role in conditional access. It can assess user and device posture and enforce access policies based on various factors.
  • Integration: Aruba solutions are designed to work together, enabling comprehensive conditional access across the network and other resources.

 

Multi-Factor Authentication (MFA)

MFA adds vital security layers, requiring multiple verification forms (password, smart card, biometric scan). Cisco Duo offers robust MFA solutions.

MFA adds layers of security beyond just a username and password. It requires users to provide multiple forms of authentication, making it significantly harder for attackers to gain access even if they have compromised credentials. Common MFA factors include:

  • Something you know: Password, PIN, security questions.
  • Something you have: Authenticator app, hardware token, smart card.
  • Something you are: Biometrics (fingerprint, facial recognition).

IBM:

  • IBM Security Verify: Verify has robust MFA capabilities, supporting various authentication methods, including time-based one-time passwords (TOTP), push notifications, biometrics, and FIDO2-compliant security keys. It can be integrated with other IBM security tools for a unified MFA experience.
  • Adaptive Authentication: Verify also incorporates risk-based or adaptive MFA, where the system dynamically adjusts the number of factors required based on the context of the login attempt.

Red Hat:

  • Red Hat Keycloak: Keycloak, their open-source IAM solution, supports MFA through various plugins and integrations. It can be configured to use TOTP, security keys, and other authentication methods.
  • Integration: Red Hat's focus is often on integrating with other identity providers and authentication systems to provide MFA capabilities.

Cisco:

  • Cisco Duo: Duo is a dedicated MFA solution that Cisco acquired. It offers a wide range of authentication methods, including push notifications, biometrics, and hardware tokens. Duo is known for its user-friendly experience and strong security.
  • Integration: Duo integrates with a wide variety of applications and services, making it a versatile MFA solution.

HPE:

  • HPE Aruba ClearPass: ClearPass supports MFA as part of its network access control capabilities. It can integrate with various authentication providers to enforce MFA for network access.
  • Integration: HPE solutions can integrate with third-party MFA providers to provide a broader range of authentication options.

Key Considerations for MFA Implementation:

  • User Experience: Balance security with usability. Choose MFA methods that are convenient for users.
  • Coverage: Ensure MFA is applied to all critical systems and applications.
  • Strong Authentication Methods: Prioritize stronger authentication factors like push notifications or security keys over SMS-based OTPs, which are more vulnerable to attacks.
  • Phishing Resistance: Implement MFA methods that are resistant to phishing attacks. FIDO2 keys are a good example.
  • Centralized Management: Use a centralized MFA platform to simplify management and reporting.

 

Privileged Access Management (PAM)

PAM controls and monitors privileged accounts (system administrators). Solutions like CyberArk, often integrated with IBM Security, manage and secure privileged access.

PAM solutions control and monitor access to sensitive systems and data by privileged users (administrators, IT staff, etc.). These accounts have elevated permissions, making them prime targets for attackers. Key aspects of PAM include:

  • Vaulting: Securely storing and managing privileged credentials (passwords, SSH keys, etc.).
  • Session Management: Controlling and monitoring privileged sessions, including recording and auditing.
  • Least Privilege Enforcement: Granting users only the minimum necessary privileges to perform their tasks.
  • Workflow and Approval: Requiring approval for certain privileged actions.
  • Auditing and Reporting: Tracking and reporting on all privileged activity.

IBM:

  • IBM Security Verify Privilege: This is IBM's dedicated PAM solution. It provides credential vaulting, session management, least privilege enforcement, and comprehensive auditing capabilities. It integrates with other IBM security tools for a unified security posture.

Red Hat:

  • No dedicated PAM product: Red Hat doesn't have a standalone PAM solution in the same way as some other vendors. However, their focus is on providing the underlying secure platform (RHEL) and using tools like Ansible for automation and least privilege enforcement. They often integrate with third-party PAM solutions.
  • Ansible Automation Platform: Ansible can be used to automate privileged tasks, reducing the need for direct privileged access and enforcing consistent configurations.

Cisco:

  • Cisco Duo: While not a full-fledged PAM solution, Duo's MFA capabilities are essential for securing privileged access. Adding MFA to privileged accounts significantly reduces the risk of credential compromise. Cisco also has integrations with some PAM vendors.

HPE:

  • HPE GreenLake for Privileged Access Management: HPE offers PAM as a service within their GreenLake portfolio. This provides a cloud-based solution for managing privileged access.
  • Aruba ClearPass: While not a dedicated PAM tool, ClearPass can play a role in securing access to network devices, which are often managed with privileged accounts.

Key Considerations for PAM Implementation:

  • Identify Critical Assets: Determine which systems and data require PAM protection.
  • Credential Vaulting: Securely store and manage all privileged credentials.
  • Session Recording and Auditing: Monitor and record all privileged sessions for auditing and compliance purposes.
  • Least Privilege: Enforce the principle of least privilege by granting users only the necessary permissions.
  • Automation: Automate routine privileged tasks to reduce the need for manual intervention and improve security.
  • Integration: Integrate PAM with other security tools, such as SIEM and SOAR, for enhanced threat detection and response.

Identity Federation & User Credentialing

Federation allows cross-domain resource access with single credentials. IBM Security Verify excels here.

These two concepts are tightly linked and fundamental to how Zero Trust manages identities across different systems and organizations.

  • Identity Federation: Enables users to access resources across multiple domains or organizations using a single set of credentials. This eliminates the need for users to maintain separate accounts for each system, improving user experience and simplifying identity management. It relies on establishing trust relationships between identity providers (IdPs) and service providers (SPs). Common federation protocols include SAML, OAuth, and OpenID Connect.

  • User Credentialing: The process of creating, managing, and securely storing user credentials (usernames, passwords, certificates, etc.). This includes lifecycle management (provisioning, deprovisioning, password resets) and ensuring the security and integrity of credentials.

IBM:

  • IBM Security Verify: Verify is a comprehensive IAM solution that supports both identity federation and user credentialing. It can act as both an IdP and an SP, allowing for seamless integration with other systems. Verify provides robust credential management capabilities, including password policies, self-service password reset, and integration with hardware tokens.

Red Hat:

  • Red Hat Keycloak: Keycloak is a strong open-source identity and access management solution that excels in identity federation. It supports various federation protocols (SAML, OAuth, OpenID Connect) and can be used to secure access to applications and services. Keycloak also provides user credentialing features, including password management and integration with external identity providers.

Cisco:

  • Cisco Duo: While Duo is primarily known for MFA, it also plays a role in user credentialing by securely managing and verifying user identities. It can integrate with existing identity providers and supports various authentication methods. Cisco also has integrations with other federation solutions.

HPE:

  • HPE Aruba ClearPass: ClearPass supports identity federation by integrating with various identity providers. It can be used to enforce access policies based on user attributes and group memberships from federated identities. HPE also provides credential management capabilities within its broader security portfolio.

Key Considerations for Identity Federation and User Credentialing:

  • Standards Compliance: Use open standards like SAML, OAuth, and OpenID Connect to ensure interoperability between different systems.
  • Security: Protect user credentials with strong encryption and access controls. Implement secure credential management practices, including password policies and regular password changes.
  • Scalability: Choose solutions that can scale to meet the needs of your organization.
  • User Experience: Make it easy for users to access resources across different systems without having to manage multiple accounts. Single sign-on (SSO) is a key benefit of federation.
  • Centralized Management: Use a centralized identity management platform to simplify the management of user identities and credentials.

Behavioral and Contextual ID

Leverage User and Entity Behavior Analytics (UEBA) tools like Splunk's User Behavior Analytics to establish baselines and detect anomalies.

Traditional security often relies on static factors like passwords and IP addresses. Behavioral and contextual ID adds a dynamic layer by analyzing user and entity behavior to identify anomalies and potential threats. This allows for more granular and adaptive access control. Key aspects include:

  • User Behavior Analysis (UBA): Monitoring user activity (login patterns, application usage, data access) to establish a baseline and detect deviations that could indicate a compromise.
  • Entity Behavior Analysis (EBA): Similar to UBA, but applied to entities like devices, applications, or network traffic.
  • Contextual Factors: Considering factors like location, time of day, device posture, and network activity to assess risk.
  • Machine Learning (ML): Using ML to identify patterns and anomalies in behavior.
  • Risk Scoring: Assigning risk scores to users and entities based on their behavior and context.

IBM:

  • IBM Security Verify: Verify can incorporate risk scores from other IBM security tools (like QRadar) to make risk-based authentication decisions.
  • IBM QRadar: QRadar's SIEM capabilities provide UBA and EBA, detecting anomalies in user and entity behavior.
  • IBM Cloud Pak for Security: This platform can integrate various security tools to provide a holistic view of user behavior and context.

Red Hat:

  • No dedicated solution: Red Hat doesn't have a specific product for behavioral analysis. However, they emphasize integration with third-party security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools that provide these capabilities.

Cisco:

  • Cisco SecureX: Cisco's security platform provides threat intelligence and analytics, including some behavioral analysis capabilities.
  • Cisco ISE: ISE can collect and analyze user and device behavior data to make access decisions.
  • Integration: Cisco solutions can integrate with other security tools for more comprehensive behavioral analysis.

HPE:

  • HPE Aruba ClearPass: ClearPass can integrate with third-party security tools to incorporate behavioral and contextual data into access control decisions.
  • HPE Security Manager: Provides log management and security information and event management (SIEM) capabilities, which can be used for some level of behavioral analysis.

Key Considerations for Behavioral and Contextual ID:

  • Data Collection: Gather relevant data from various sources (logs, network traffic, endpoints) to build comprehensive behavioral profiles.
  • Baseline Establishment: Establish normal behavior patterns for users and entities to accurately identify anomalies.
  • Machine Learning: Use ML to improve the accuracy and efficiency of anomaly detection.
  • Risk Scoring: Develop a risk scoring system to prioritize and respond to threats.
  • Integration: Integrate behavioral and contextual data with other security tools, such as IAM and NAC, to enable adaptive access control.

 

Biometrics

Biometric authentication (fingerprint, facial recognition) provides strong verification.

Biometric authentication uses unique biological traits to verify user identity. This can include:

  • Fingerprint scanning: One of the most common and widely adopted methods.
  • Facial recognition: Analyzing facial features for authentication.
  • Iris scanning: Using patterns in the iris of the eye.
  • Voice recognition: Analyzing voice patterns.
  • Behavioral biometrics: Analyzing typing patterns, gait, or other behavioral traits.

IBM:

  • IBM Security Verify: Verify supports various biometric authentication methods, including fingerprint scanning and facial recognition. It can integrate with biometric sensors on devices or use biometric data stored securely in the system.

Red Hat:

  • Limited direct support: Red Hat doesn't have a strong focus on biometrics within its core products. However, they can integrate with third-party biometric authentication solutions through their identity and access management platform, Keycloak.

Cisco:

  • Cisco Duo: Duo supports biometric authentication through its mobile app, allowing users to use fingerprint scanning or facial recognition on their smartphones for MFA.
  • Integration: Cisco can integrate with other biometric solutions for more specialized use cases.

HPE:

  • HPE Aruba ClearPass: ClearPass can integrate with biometric authentication systems to add an extra layer of security to network access control.
  • Device-level biometrics: HPE supports the use of device-level biometrics (like fingerprint readers on laptops) for access control.
  • Least Privileged Access: Grant users only the minimum necessary access rights.
  • Continuous Authentication: Continuously monitor user activity and re-authenticate as needed.
  • Integrated ICAM Platform: A centralized Identity, Credential, and Access Management (ICAM) platform, potentially built around IBM Security Identity Manager, is essential.

Key Considerations for Biometric Authentication:

  • Security: Ensure that biometric data is stored securely and protected from unauthorized access. Encryption and strong access controls are essential.
  • Privacy: Address privacy concerns related to the collection and use of biometric data. Be transparent with users about how their data is being used.
  • Accuracy: Biometric systems are not perfect and can have false positives or false negatives. Consider the accuracy rates of different biometric methods.
  • User Experience: Choose biometric methods that are user-friendly and convenient.
  • Accessibility: Consider accessibility needs when implementing biometrics. Some users may have difficulty using certain biometric methods.

 

The Device Realm: Securing the Endpoint

In Zero Trust, every device (laptop, smartphone, IoT sensor) is potentially untrusted. Securing this realm requires comprehensive endpoint visibility and control.

Endpoints (laptops, desktops, mobile devices, IoT devices) are often the weakest link in a security chain. Attackers target endpoints to gain access to the network and sensitive data. Zero Trust requires a strong focus on securing these devices. Key aspects of endpoint security in a Zero Trust context include:

  • Device Posture Assessment: Evaluating the security status of devices (patching, antivirus, firewall status, etc.).
  • Endpoint Detection and Response (EDR): Detecting and responding to threats on endpoints.
  • Vulnerability Management: Identifying and remediating vulnerabilities on endpoints.
  • Data Loss Prevention (DLP): Preventing sensitive data from leaving the organization.
  • Mobile Device Management (MDM): Managing and securing mobile devices.

IBM:

  • IBM Security MaaS360: IBM's MDM solution for managing and securing mobile devices.
  • IBM Security QRadar EDR: Provides endpoint detection and response capabilities.
  • IBM BigFix: Used for endpoint management, patching, and vulnerability remediation.

Red Hat:

  • Red Hat Enterprise Linux (RHEL): RHEL itself provides a secure foundation for endpoints with built-in security features, including SELinux for mandatory access control.
  • Integration with OpenSCAP: Red Hat integrates with OpenSCAP for security compliance and vulnerability scanning.
  • No dedicated EDR/MDM: Red Hat typically integrates with third-party endpoint security solutions.

Cisco:

  • Cisco Secure Endpoint (formerly AMP for Endpoints): Provides endpoint protection, detection, and response capabilities.
  • Cisco AnyConnect: Offers secure remote access and endpoint compliance checking.
  • Meraki: Cisco's Meraki platform includes endpoint management features for network devices and other endpoints.

HPE:

  • HPE Aruba ClearPass: Can assess device posture and enforce access policies based on device compliance.
  • HPE Endpoint Management: Provides endpoint management capabilities, including patching and software distribution.
  • No dedicated EDR: HPE often partners with or integrates with third-party EDR solutions.

Key Considerations for Endpoint Security:

  • Visibility: Gain complete visibility into all endpoints on the network.
  • Posture Assessment: Regularly assess the security posture of endpoints to identify vulnerabilities.
  • Threat Detection and Response: Implement EDR capabilities to detect and respond to threats on endpoints.
  • Patching and Vulnerability Management: Keep endpoints patched and up-to-date to minimize vulnerabilities.
  • Data Protection: Implement DLP to prevent sensitive data from leaving the organization.
  • Mobile Device Security: Secure mobile devices with MDM solutions.
  • Zero Trust Network Access (ZTNA): Use ZTNA to control network access based on device posture and user identity.
  • Device Inventory: Maintain an accurate inventory, including device type, OS, and software. HPE Aruba ClearPass aids device profiling and inventory.
  • Device Detection and Compliance: Automatically detect new devices and verify compliance. Cisco ISE (Identity Services Engine) plays a vital role.
  • Device Authorization and Real-Time Inspection: Grant access based on device posture and user identity. Cisco Secure Endpoint (formerly AMP for Endpoints) assists with endpoint detection and response.
  • Remote Access: Secure remote access via VPNs or other secure connections.
  • Automated Asset, Vulnerability, and Patch Management: Automate these processes. HPE GreenLake and Red Hat Ansible Automation Platform offer relevant tools.
  • Unified Endpoint Management (UEM): Implement UEM for centralized endpoint management.
  • Mobile Device Management (MDM): Implement MDM for mobile device enrollment, configuration, and security.
  • Endpoint and Extended Detection & Response (EDR/XDR): Deploy EDR/XDR solutions like Splunk Enterprise Security for advanced threat detection.

 

The Application & Workloads Realm: Securing the Software Layer

Securing applications and workloads ensures secure development, deployment, and access.

Applications and workloads are prime targets for attackers. Zero Trust requires a security approach that protects them throughout their lifecycle, whether they're on-premises, in the cloud, or in containers. Key aspects include:

  • Microsegmentation: Isolating applications and workloads from each other to limit the impact of a breach.
  • Application Security Testing (AST): Identifying vulnerabilities in application code.
  • Runtime Application Self-Protection (RASP): Protecting applications from attacks in real-time.
  • Container Security: Securing containerized applications and their environments.
  • API Security: Protecting APIs that connect applications and services.
  • Cloud Workload Protection: Securing workloads running in cloud environments.

IBM:

  • IBM Cloud Pak for Security: This platform provides a suite of tools for application security, including vulnerability scanning, threat detection, and data protection.
  • IBM Guardium: Offers data security and compliance capabilities for applications and databases.
  • IBM Security AppScan: Provides application security testing (AST) tools.

Red Hat:

  • Red Hat OpenShift: This container platform has built-in security features for securing containerized applications and their environments.
  • Red Hat Ansible Automation Platform: Ansible can be used to automate security tasks and enforce security policies for applications.

Cisco:

  • Cisco Secure Workload (formerly Tetration): Provides microsegmentation and workload protection for applications running in data centers and cloud environments.
  • Cisco Secure Application (formerly Cloudlock): Offers cloud-native application security and data loss prevention (DLP).

HPE:

  • HPE Aruba ClearPass: Can be used to enforce access policies for applications based on user identity and device posture.
  • HPE GreenLake for Cloud Native Security: Provides security services for cloud-native applications and workloads.

Key Considerations for Application and Workload Security:

  • Shift-Left Security: Integrate security into the application development lifecycle (DevSecOps).
  • Microsegmentation: Isolate applications and workloads to limit the impact of a breach.
  • Vulnerability Management: Regularly scan applications for vulnerabilities and remediate them promptly.
  • Runtime Protection: Use RASP to protect applications from attacks in real-time.
  • Cloud Security: Implement appropriate security controls for cloud-native applications and workloads.
  • API Security: Secure APIs to prevent unauthorized access and data breaches.
  • Application Inventory: Maintain a comprehensive inventory of all applications and workloads.
  • Secure Software Development & Integration: Implement DevSecOps practices. Red Hat OpenShift provides a secure platform.
  • Software Risk Management: Assess application risk and prioritize security.
  • Resource Authorization & Integration: Implement fine-grained access control.
  • Continuous Monitoring and Ongoing Authorization: Monitor application activity and update access controls. Red Hat OpenShift and Advanced Cluster Management, along with IBM Cloud Pak for Data, are valuable here.

 

The Data Realm: Protecting the Crown Jewels

Data protection is paramount in Zero Trust.

It's about ensuring that only authorized users and devices can access data, regardless of where it resides (on-premises, in the cloud, or on endpoints). Key aspects of data security in Zero Trust include:

  • Data Discovery and Classification: Identifying and classifying sensitive data to apply appropriate security controls.
  • Access Control: Enforcing granular access control policies based on user roles, attributes, and context.
  • Encryption: Encrypting data at rest, in transit, and in use to protect it from unauthorized access.
  • Data Loss Prevention (DLP): Preventing sensitive data from leaving the organization.
  • Data Masking and Tokenization: Protecting sensitive data by masking or replacing it with tokens.
  • Database Security: Securing databases from unauthorized access and attacks.
  • Cloud Data Security: Protecting data stored in cloud environments.

IBM:

  • IBM Guardium: A comprehensive data security platform that provides data discovery, classification, access control, encryption, DLP, and database security capabilities.
  • IBM Cloud Pak for Security: Offers data security tools for cloud environments.
  • IBM Security Verify: Integrates with Guardium to enforce access control policies based on user identity and context.

Red Hat:

  • No dedicated data security product: Red Hat's focus is on providing a secure platform (RHEL) and integrating with third-party data security solutions.
  • Red Hat Ceph Storage: Offers data encryption and access control features for storage environments.

Cisco:

  • Cisco Secure Application (formerly Cloudlock): Provides cloud-native data security and DLP.
  • Cisco Secure Workload (formerly Tetration): Can be used to enforce microsegmentation and access control for data.
  • Cisco Umbrella: Offers secure web gateway and cloud access security broker (CASB) capabilities to protect data in transit.

HPE:

  • HPE SecureData Enterprise: Provides data-centric security solutions, including encryption, tokenization, and access control.
  • HPE GreenLake for Data Security: Offers data security services for hybrid cloud environments.

Key Considerations for Data Security in Zero Trust:

  • Data-Centric Approach: Focus on securing data itself, regardless of where it resides.
  • Data Discovery and Classification: Identify and classify sensitive data to apply appropriate security controls.
  • Granular Access Control: Enforce least privilege access to data based on user roles and context.
  • Encryption: Encrypt data at rest, in transit, and in use.
  • Data Loss Prevention: Prevent sensitive data from leaving the organization.
  • Cloud Data Security: Implement appropriate security controls for data stored in cloud environments.
  • Compliance: Ensure compliance with relevant data privacy regulations (e.g., GDPR, CCPA).
  • Data Catalog & Risk Alignment: Create a data catalog and align security with risk. IBM InfoSphere Information Governance Catalog can be leveraged.
  • DoD Enterprise Data Governance: Adhere to DoD policies where applicable.
  • Data Labeling and Tagging: Implement a consistent system.
  • Data Monitoring and Sensing: Monitor data access and usage. Splunk can be used for SIEM and data analysis.
  • Data Encryption & Rights Management: Encrypt data and implement DRM. HPE storage solutions also play a role.
  • Data Loss Prevention (DLP): Implement DLP solutions.
  • Data Access Control: Implement granular access control.

 

The Network Realm: Microsegmentation and Beyond

The Network realm shifts from perimeter-centric to granular security.

Traditional network security often relies on perimeter-based defenses, which are no longer sufficient in today's distributed and cloud-centric world. Zero Trust requires a more granular approach to network security, focusing on microsegmentation and other techniques to control access and limit the impact of breaches. Key aspects include:

  • Microsegmentation: Dividing the network into smaller, isolated segments to contain breaches and limit lateral movement.
  • Software-Defined Networking (SDN): Using software to control and manage the network, enabling dynamic and automated security policies.
  • Zero Trust Network Access (ZTNA): Providing secure access to applications and resources based on user identity and device posture, regardless of location.
  • Network Traffic Analysis (NTA): Monitoring network traffic for suspicious activity and anomalies.
  • Next-Generation Firewalls (NGFWs): Providing advanced firewall capabilities, including intrusion prevention and application control.

IBM:

  • IBM Security Verify: Integrates with network security solutions to enforce access control policies based on user identity and context.
  • IBM QRadar: Provides network traffic analysis and threat detection capabilities.
  • No dedicated microsegmentation solution: IBM typically relies on partnerships or integrations with other vendors for microsegmentation.

Red Hat:

  • Red Hat OpenShift: Offers SDN capabilities and integrates with network security solutions for microsegmentation in containerized environments.

Cisco:

  • Cisco Secure Workload (formerly Tetration): Provides microsegmentation and workload protection for applications running in data centers and cloud environments.
  • Cisco Secure Network Analytics (formerly Stealthwatch): Offers network traffic analysis and anomaly detection.
  • Cisco SD-Access: Provides a fabric-based SDN solution for automating network segmentation and policy enforcement.

HPE:

  • HPE Aruba ClearPass: Integrates with network security solutions to enforce access control policies based on user identity and device posture.
  • HPE Aruba Fabric Composer: Offers SDN capabilities for automating network provisioning and security policy management.
  • Aruba ESP (Edge Services Platform): Provides a unified platform for managing and securing the network edge, including ZTNA and microsegmentation.

Key Considerations for Network Security in Zero Trust:

  • Microsegmentation: Implement microsegmentation to limit the impact of breaches and control lateral movement.
  • Software-Defined Networking: Use SDN to automate network security policy management and enforcement.
  • Zero Trust Network Access: Implement ZTNA to provide secure access to applications and resources regardless of user location.
  • Network Traffic Analysis: Monitor network traffic for suspicious activity and anomalies.
  • Next-Generation Firewalls: Deploy NGFWs to provide advanced firewall capabilities.
  • Cloud Network Security: Secure cloud network environments with appropriate security controls.
  • Data Flow Mapping: Understand data flow and identify vulnerabilities.
  • Software-Defined Networking (SDN): Implement SDN for centralized network control.
  • Macro-Segmentation: Divide the network into larger segments.
  • Micro-Segmentation: Implement microsegmentation for fine-grained control. Cisco ACI and HPE Aruba solutions are key here.

 

Implementing Zero Trust is a journey, not a destination. By systematically addressing each realm and leveraging the powerful solutions offered by our partners – Cisco, HPE, Red Hat, IBM, and Splunk – government agencies can significantly enhance their cybersecurity posture and protect their valuable assets. Zero Trust is not just a technical implementation, but a fundamental shift in security mindset. It requires a commitment to continuous improvement, collaboration between teams, and a focus on understanding and mitigating risk.

 

Ready to embark on your Zero Trust journey? Message us so we can engage our network of industry subject matter experts to assess your current security posture, develop a tailored Zero Trust implementation plan, and leverage the best-in-class solutions from our partners to achieve your security goals.