This challenge can be worked onsite or off site, but can only be worked by a conference registered individual or team to be a recognized winner. College or University teams that meet the criteria on the event website for the Academic Village can also take on this challenge.
Interest in zero trust grew more than 230% in 2020 over 2019, according to Gartner. On May 12, 2020, President Biden released the Executive Order on Improving the Nation’s Cybersecurity. The Order defines zero trust as the architectural standard for the federal government, calling on the Cybersecurity and Infrastructure Security Agency (CISA) to modernize its current and future cloud computing-based cybersecurity capabilities, programs, and services to support the zero trust architecture.
On January 26, 2022, the Office of Management and Budget (OMB) released a Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity. The strategy represents a key step forward in delivering on President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures that dramatically reduce the risk of successful cyber-attacks against the Federal Government’s digital infrastructure.
Zero trust is the rage today. Everyone is talking about it and everyone claims that they have an architecture and technology that if used, allows the implementer to claim that they accomplished a zero trust implementation.
At MISI’s DreamPort, we house a zero trust test bed based on the National Security Agency’s (NSA) zero trust reference architecture published last year. The Cybersecurity and Infrastructure Security Agency (CISA) has published a zero trust reference architecture, that can be found here.
The Mission Accelerator Team at DreamPort is also adding another data center as part of its Azimuth 24 technology incubator to house another zero-trust technology effort that leverages lessons learned and that are continuing to be learned from the NSA zero trust effort and applying them to help accelerate the zero trust elements of the new effort slated for production implementation sometime this year.
But how do you measure a zero-trust implementation for efficacy, the level of risk reduction that can be expected? What constitutes a Platinum (the most resilient) , Gold or Silver zero trust implementation?
What framework can be developed as a methodology to test and assess the true level of zero trust resilience in government implementations?
The goal is to use the NIST Special Publication 800-27 and pages 28-31 that outline a series of threats to zero trust architectures that must be considered. We suggest this as a beginning, but in no way as the exhaustive list of threats to zero trust. We want the participants to think this through and ideate on other threats that should be assessed.
The goal of this challenge is :
To develop an agile methodology that is easy to understand, communicate and implement. The methodology could also lean towards an approach that leverages a series of tools to rapidly conduct the assessment and derive the ranking of zero trust implementations using the platinum, gold and silver constructs and using the threat assessment and resilience of the assessed zero trust implementation.
The approach and methodology should be repeatable, the evaluation criteria should be clearly defined. The teams should approach this challenge with the idea of how we can automate the solution and provide visualization at the high level of zero trust assessments.
Traditional cybersecurity assessments of risk and compliance rely on in person, mostly manual and some sort of schedule, such as once every 3 years or upon some cyber incident that requires a new assessment of risk. The adversary does not ply their tradecraft on any routine schedule and utilizes agile and low cost methods to meet their objectives.
We challenge participants to think about how one could continuously assess the fidelity of an assessed zero trust implementation if possible.
Another challenge is that the government or the nation have one zero trust reference architecture. So for instance, how would you assess a CISA based zero trust implementation versus one based on a NIST, NSA, Cisco, or other architecture? Does it require one to boil down the objective of zero trust to its common goals regardless of the reference architecture or technology?
Some of the zero trust goals are to secure data, reduce lateral movement of adversarial intrusions on networks, in the event of data exfiltration, make it significantly difficult if not impossible using today’s or emerging technology to decrypt data successfully exfiltrated.
As defined by Forrester and endorsed by the MISI DreamPort Team, the identification of the most valuable network assets, data and systems is an essential first step in the zero trust journey. You cannot protect everything at the same time and by investing an equal amount of dollars across all risk vectors. One aspect of the challenge could include a rapid methodology to help the organization prioritize their risks and ranking their top information and system assets needing to be secured and that if disabled or otherwise compromised by a cyber-attack would lead to reputational, national security or economic harm.
As each enterprise has a unique set of elements at risk, the methodology should we believe account for identifying these risk as part of assessing the strength and resilience of any zero trust implementation.