Zero Trust Architecture Initiative

Imagine that one day you sit down at your computer and find that someone has gained unauthorized access to your valuable research data or personal information in an effort to damage your reputation and SLAC’s! Obviously, this would be very unsettling and could have disastrous consequences for you and the lab. There are many very real examples of such activities by individuals and groups with malicious intent illegally accessing important personal and classified data. Recent examples such as the Impacket and Exfiltration Tool Used to Steal Sensitive Information and multiple others as outlined in CSIS’s Significant Cyber Incident report make it apparent that more must be done to protect SLAC’s data and networks.

What is Zero Trust Architecture?

Zero Trust Architecture is a critical security concept that is becoming increasingly popular in the modern digital world. It is based on the idea that no user or device should be trusted by default and that all access to data and systems should be verified and authenticated. Everything attempting to establish access must be verified on a continuing basis. 

In addressing “Identity” both the system’s identity and the presented user credentials must be verifiably known as being from a trusted source, otherwise, connections and transactions are blocked. Think of it as an airport security system, where everyone is treated as a potential threat and must pass multiple levels of authentication before being granted access. This is a departure from the current security model we employ which assumes a level of trust for anyone on the internal network. As you know, we already employ authentication for most of our applications, however, we’ve traditionally reduced how strictly we check these conditions once we get “inside” a campus network. While network-based security continues to assist in layered security, highly distributed computing increasingly exists in cloud computing locations where traditional network-based security does not extend.  ZTA does not principally rely on perimeter security boundaries, and instead assumes no network or system is inherently trusted.

SLAC has been focusing on improving cyber security and there are multiple projects underway that align with foundational ZTA pillars, as well as work toward addressing the Executive Order. 

• Identity: Identity and Access Management (IAM) Project and Cardinal Key implementation
• Devices: Security baseline for the government-funded devices, Endpoint Detection and Response initiative, multi-factor authentication on computers and servers, Centralization of endpoint management
• Network/Environment: Firewall replacement, AWS Partnership with Stanford, reducing the amount of inbound SSH connections to SLAC systems while enhancing the security baseline
• Application Workloads: AWS Partnership with Stanford
• Data: Cloud Backup, cloud security assessment

As President Biden stated in his Executive Order 14028, "the United States faces persistent and increasingly sophisticated malicious cyber campaigns", and it is critical to "take decisive steps to modernize <...> the approach to cybersecurity". The Executive Order emphasizes that "the Federal Government must adopt security best practices <and> advance toward Zero Trust Architecture".  

Zero trust adoption will require the engagement and collaboration of SLAC IT and Cyber Security with Science and Mission support communities. Ultimately this is an opportunity for infrastructure and process modernization which, in addition to increased defense against cyber-attacks, leads to an improved user experience. As we continue to implement the Zero Trust security model at SLAC, we will keep you informed of our progress and any significant updates. We welcome your questions and encourage you to reach out to us.

PRIMARY POC: Erwin Lopez

PROJECT MANAGER: Olga Bykov