Skip to main content

Zero Trust Architecture Initiative

PROJECTS

Zero Trust Architecture Initiative

STATUS: In Progress - On Schedule 
PRIMARY POC: Erwin Lopez

Objectives & Purpose

Imagine that one day you sit down at your computer and find that someone has gained unauthorized access to your valuable research data or personal information in an effort to damage your reputation and SLAC’s! Obviously this would be very unsettling and could have disastrous consequences for you and the lab. There are many very real examples of such activities by individuals and groups with malicious intent illegally accessing important personal and classified data. Recent examples such as the Impacket and Exfiltration Tool Used to Steal Sensitive Information and multiple others as outlined in CSIS’s Significant Cyber Incident report make it apparent that more must be done to protect SLAC’s data and networks.

In the wake of recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident, President Biden issued an Executive Order (EO) in May of 2021 mandating improvement of the nation’s cybersecurity. Earlier this year, the DOE CIO began publishing guidance and deadlines for compliance in the form of a Zero Trust Architecture (ZTA) Implementation Order for all national laboratories. 

Description

Zero Trust Architecture is an important security concept that is becoming increasingly popular in the modern digital world. It is based on the idea that no user or device should be trusted by default, and that all access to data and systems should be verified and authenticated. Everything attempting to establish access must be verified on a continuing basis. 

In addressing “Identity” both the system’s identity and the presented user credentials must be verifiably known as being from a trusted source, otherwise connections and transactions are blocked. Think of it as an airport security system, where everyone is treated as a potential threat and must pass multiple levels of authentication before being granted access. This is a departure from the current security model we employ which assumes a level of trust for anyone on the internal network. As you are well aware, we already employ authentication for most of our applications, however, we’ve traditionally reduced how strictly we check these conditions once we get “inside” a campus network. While network-based security continues to assist in layered security, highly distributed computing increasingly exists in cloud computing locations where traditional network-based security does not extend.  ZTA does not principally rely on perimeter security boundaries, and instead assumes no network or system is inherently trusted.

SLAC has been focusing on improving cyber security and there are multiple projects underway that align with foundational ZTA pillars, as well as work toward addressing the Executive Order. 

  • Identity: Identity and Access Management (IAM) Project and Cardinal Key implementation
  • Devices: Security baseline for the government funded devices, CrowdStrike and multi- factor authentication on computers and servers, Centralization of endpoint management
  • Network/Environment: Firewall replacement, AWS Partnership with Stanford, reducing the amount of inbound SSH connections to SLAC systems while enhancing the security baseline
  • Application Workloads: AWS Partnership with Stanford
  • Data: Cloud Backup, cloud security assessment

Foundation of Zero Trust

As President Biden stated in his Executive Order 14028, "the United States faces persistent and increasingly sophisticated malicious cyber campaigns", and it is critical to "take decisive steps to modernize <...> the approach to cybersecurity". The Executive Order emphasizes that "the Federal Government must adopt security best practices <and> advance toward Zero Trust Architecture".  

Zero trust adoption will require the engagement and collaboration of SLAC IT and Cyber Security with Science and Mission support communities. Ultimately this is an opportunity for infrastructure and process modernization which, in addition to increased defense against cyber-attacks, leads to an improved user experience. As we continue toward implementing the Zero Trust security model at SLAC, we will keep you informed of our progress and any significant updates on the Zero Trust Architecture Initiative site. We welcome your questions and encourage you to reach out to us.

Timeline

  • April 2021 - President Biden Issues Executive Order
  • March 2022 - DOE Issues Zero-Trust Architecture Implementation Guidelines
  • June 2022 - SLAC Responds to DOE-Mandated ZTA Maturity Assessment
  • July 2022 - SLAC Responds to DOE-Mandated ZTA Implementation Plan
  • 2023 - 2024 - SLAC Implements ZTA-related Initiatives, such as IAM
  • September 2024 - Deadline for ZTA Guidance Compliance

Resources & Links
Executive Order