What is Zero Trust?
Zero Trust is an approach to cybersecurity rooted in the philosophy of “trust no one and nothing.” It is increasingly difficult to secure data in evolving business environments. The traditional security model implicitly trusts users and devices once they access the network. Instead, this approach trusts no one by default, and requires continuous verification from everyone, on every device, trying to gain access to resources on the network. Zero Trust verifies user identity and privileges as well as device identity and security.
What is Zero Trust Architecture (ZTA)?
Zero Trust Architecture is the framework used to ensure that only authorized individuals, devices, and applications can access an organization's systems and data. ZTA is all of the systems, applications, and protocols used for denying access by default, verifying every identity, validating every device, and intelligently limiting access to every resource.
What are the ZTA requirements?
ZTA requires SLAC to continuously monitor and validate every user and every device. This ensures they have the right privileges and attributes to access SLAC-supported applications and networks. It requires enforcement of a policy that considers the risk of the user and device before permitting any transaction. It requires that SLAC know all of their accounts, and establish controls about what and where they connect.
Zero Trust adoption requires the engagement and collaboration of SLAC IT and Cyber Security with science and mission support communities. SLAC has multiple projects underway to implement and comply with foundational ZTA pillars.
The first step of any Zero Trust effort requires verification of user identity and privileges using strong and adaptable authentication. SLAC is currently engaged in a multi-faceted Identity and Access Management (IAM) program to enable new technologies that support Zero Trust. The IAM program will ultimately result in one identity management system for all of SLAC.
In order to verify device identity and security, SLAC must secure all government-funded equipment, manage the risks of authorized devices that are not agency-controlled, and prevent unauthorized devices from accessing resources. SLAC is currently working on the following device security initiatives:
ZTA permits security controls to be implemented closer to the applications. This allows each application, user and control to be treated uniquely by the network based on its individual demands on access, priority, reachability, connections to dependency services, and connection pathways.
Network segmentation isolates assets to minimize the impact of data breaches. These smaller segments restrict unauthorized access to sensitive data and bolster SLAC’s security posture through better control over traffic flows within the network. In short, even if an attacker breaches one segment, they can’t easily move to another.
Per NIST, Granular controls over individual application workloads address traditional security control vulnerabilities by minimizing unauthorized access and reducing the chances of lateral movement within the network.
ZTA permits security controls to be implemented closer to the data rather than at the network level. SLAC has carefully curated a Data Governance Board to ensure all security aspects of the data lifecycle are appropriately enforced across the enterprise. The following initiatives address data inventory, categorization, availability, access, and encryption functions.
Why is SLAC doing this?
President Biden issued Executive Order (EO) 14028 in May 2021 mandating improvement of the nation’s cybersecurity. The DOE CIO published guidance and compliance deadlines in a Zero Trust Architecture Implementation Order for all national laboratories.
PRIMARY POC: Erwin Lopez
PROJECT MANAGER: Olga Bykov
President Biden Issued Executive Order
DOE Issued Zero-Trust Architecture Implementation Guidelines
SLAC Responded to DOE-Mandated ZTA Maturity Assessment
SLAC Responded to DOE-Mandated ZTA Implementation Plan
SLAC Implements ZTA-related Initiatives, such as IAM
Deadline for ZTA Guidance Compliance
