Background

The Government of Canada (GC) Digital Operations Strategic Plan 2018-2022 outlines the government’s commitment to delivering responsive and innovative IT services with the overarching goals of service, security, value, and agility. The “Secure and Trusted” pillar focuses on safeguarding sensitive government data, ensuring that the systems underpinning digital services are properly designed and secured, and that Canadians accessing online services can trust the government with their personal information. The government must therefore establish a secure and resilient enterprise digital security ecosystem in which government services are delivered safely and securely.

Further, the Government of Canada Digital Standards form the foundation of the government’s shift to becoming more agile, open, and user-focused. Users increasingly want to have access to information and services from wherever they are, using whatever platform they choose. As service enablers, GC Information Technology (IT), including security, has an increasing duty to be responsive and provide solutions that meet changing expectations. Adopting a balanced approach that considers user needs, supported by a pragmatic security approach, will result in a more secure environment. This approach will enable the GC to meet its Digital Government vision of delivering “programs and services to people and businesses in simple, modern and effective ways that are optimized for digital and available anytime, anywhere and from any device.

The concept of “zero trust” is an approach that is driven in response to the aforementioned factors including a mobile workforce and mobile devices, adoption of cloud-based services, insider threats and breaches in network perimeter security. The purpose of this discussion paper is to introduce the zero trust security model and how it might play a role in improving the GC’s security posture as its IT service delivery continues to evolve.

What is Zero Trust?

One of the first published works where the notion of “de-perimeterisation” was introduced dates back to 2003/2004 and is based on work produced from the Jericho Forum. More recently, the Defense Innovation Board, a US Federal Advisory Committee, published The Road to Zero Trust (Security) which examines zero trust in the context of the US Department of Defense (DoD). In addition, the US National Institute of Standards and Technology (NIST) recently published their second draft of the Zero Trust Architecture publication. There are also numerous papers available from industry analysts (e.g., Gartner, Forrester Research) as well as from various cloud service providers which expand on the topic. Perhaps the most relevant report in the context of this concept paper is the Zero Trust Cybersecurity Current Trends published by the American Council for Technology-Industry Advisory Council (ACTIAC). It examines the current state and suitability of zero trust within the context of the US federal government and reflects many of the same challenges facing the GC. While there are numerous sources that describe various aspects of the zero trust security model, the manner and level of granularity in which the concepts are described varies and there is not a common lexicon or model that has been adopted within the industry. Even the terms “zero trust”, “zero trust network” and “zero trust architecture” tend to be used and defined differently. However, the fundamental underlying principles of the zero trust security model are fairly clear and a suitable definition can therefore be derived from these sources.

NIST defines Zero Trust Security as follows: "Zero trust provides a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan."

Zero Trust Security Model

Key areas of the Zero Trust Security Model are:

• Assumes the network is compromised and that there is no implicit trust afforded to a user and/or device simply because it is connected to the internal network (i.e., inside the enterprise network perimeter).
• Users and devices, regardless of location relative to the enterprise network, are treated equally – they are untrusted until proven otherwise.
• Places more emphasis on controlling access to corporate resources than controlling access to the corporate network.
• Focuses on the prevention of unauthorized access to resources (data, applications and services) through fine-grained, least privilege access control, at rest and in transit data protection and limiting unauthorized lateral movement using micro-segmentation.

Implementation of zero trust networks is expected to result in a number of paradigm shifts including:

• VPNs for secure remote access will no longer be required.
• Security perimeters will move (or will be added) closer to the resource being protected and therefore:
  • the number of security perimeters will increase; and,
  • the traditional notion of network perimeter security will diminish in importance and, in some cases, become irrelevant
• The user experience will be the same regardless of their location relative to the enterprise network.

Implementation Considerations

Ultimately, the principles and concepts behind the zero trust security model translate to security capabilities. Many of the sources identified in the previous section, as well as others, identify basic tenets or pillars of the zero trust security model, but they offer different perspectives and the number and level of granularity of these concepts varies. After assessing the various perspectives, a hybrid approach was chosen primary based on the zero trust security model pillars identified in the ACT-IAC paper Zero Trust Cybersecurity Current Trends.

This approach adopts security pillars such as:

• Users – identification and authentication, least privilege access, two-factor authentication
• User Devices – user device identification and verification, user device management
• Networks – isolation and protection of network devices and infrastructure
• Resource Protection – protection of assets including data, applications and services
• Continuous Monitoring – ongoing automated security event management and user behaviour analysis; real-time correlation, threat assessment and response

Next Steps

The zero trust security model should not be considered to be a blanket replacement for existing network and security controls currently implemented within the GC. Instead, the principles and recommendations stemming from the zero trust security model should be evaluated and prioritized; and used to augment and improve the GC’s security posture over time. Some next steps include:

• Develop a zero trust security reference architecture;
• Develop a zero trust network vision and strategy for the GC;
• Evaluate the GC’s current state and identify areas that could be improved;
• Identify and assess possible remediation for each area and prioritize activities based on factors such as risk, cost and feasibility;
• Develop implementation guidance; and,
• Pilot and deploy/implement solutions over time using a phased, incremental approach

References

• Zero Trust Discussion Paper
• ACT-IAC - Zero Trust Cybersecurity Current Trends
• NIST - Zero Trust Security Architecture