Inspired by Bill Travitz’s article in the TribalNet Magazine Spring 2022 Issue
Many have heard of the infrastructure journey that I presided over, on the shoulders of incredibly talented people, at the Eastern Band of Cherokee Indians (EBCI). My previous role was the Director of Information Technology for Tribal Government, and in late June of 2022, I became the Director of Tribal Business for Arctic IT. Here, I am tasked with evangelizing for cloud migration, modern workplace and, underlying all of that, zero trust. I’m passionate about the concept and the implementation into the Tribal sector.
Tribal governments, for the most part, have historically been late adopters of cloud technologies, with Data sovereignty being the driving factor. My sense of it is this – it is shifting. I believe tribes are more secure, protected, and resilient in the cloud. This is based upon my firsthand experience. Further, I can cite legal precedent, set at the EBCI, as evidence of the security of cloud technology. More on that later.
What is Zero Trust Architecture?
You’re likely familiar with the term “zero trust” in the modern cybersecurity lexicon. What is it, and how do you get there? The latter being particularly challenging in a world where existing systems must remain available online. Services need to continue to be available for constituents and customers. For those who are deep into cybersecurity, please excuse the high level “fluffiness” to ensue. My focus for this article is on building awareness.
Zero Trust Architecture (ZTA) is a set of principles, a roadmap. It defines thinking about security not as perimeter defense, and device security. These are artifacts of the client server revolution that has dominated much of IT history since the 80’s. ZTA is identity centric. The principle of assumed breach, zero east-west trust, identity centric authentication, micro-segmented applications and the movement of data (how much, where and what kind) are the way to conceptually visualize security in the modern landscape. The National Institute of Standards and Technology (NIST) has a publication that sums it up nicely. That document can be found here: Zero Trust Architecture (nist.gov).
These principles can be implemented in different ways, over many different platforms. This spans cloud architectures, on premises, and hybrid environments. The pace of your journey to ZTA will vary depending upon the complexity of your operation, and to a large degree, the number and scope of legacy applications that you must support. In full disclosure, my perspective will come from implementing this across the Microsoft Azure platform.
Implementing ZTA for a tribal government
As I mentioned above, prior to my arrival at Arctic IT, I was the IT Director at the Eastern Band of Cherokee Indians. During my tenure there, the Tribe was the victim of a ransomware attack on December 7, 2019. We were completely incapacitated as a result. Fortunately for us, we were Microsoft 365 Enterprise E5 license holders at the time. We were using a small fraction of the available capabilities then. Exchange Online email was the major component and was among the only systems still standing in the aftermath. The point of this is that there is nothing quite like a blank page to begin your ZTA journey. The EBCI has fully embraced the cloud and, to a team member, would never go back to on-prem. They are approaching three years into the journey. The benefits are numerous.
With 20/20 hindsight in full effect, many of the legacy “perimeter defense” concepts employed at the EBCI were aggravating factors in the scope and speed of the attack. Not the least of which was complete east-west trust between servers and endpoints, persistent administrative accounts, stale passwords, lack of multifactor authentication (MFA), and the list goes on.
How do you get to Zero Trust?
First, you must fully embrace a “trust no-one” mindset. That includes external and internal threat actors. You must assume that you are already compromised (remember, the principle of assumed breach). When you move there mentally, it’s a paradigm shift. You move from, ‘How do I keep people out,’ to ‘What happens to my data when they do gain access.’ Further, you’ll be focusing on limiting the spread of the damage.
Stated simply, you must move from a device-centric, to an identity-centric architecture. The analogy I like to use is that of a castle with a moat and tall walls. Great perimeter defense. I’ll lower the drawbridge and let you in. This encapsulates most modern threat vectors. Most are unintentional. Once inside, everyone moves freely about. What happens when the threat is within?
ZTA move us to a place where once inside the castle, your whereabouts and what you touch and the relative value of that object are tracked in detail. Further, when you pick up that object, preventative measures can be applied. It’s like having a guard next to object willing to take it away from you if you try to move it without proper authorization. A dramatic oversimplification, I grant you, yet it does illustrate the point.
In the Microsoft Azure world, ZTA is implemented by moving to a zero east-west trust architecture. No traditional AD Domain joins are allowed. The identity of the user controls all security and movement through the network. Further, all endpoints (devices) must be deemed compliant with the security model before being allowed to attach. The criticality of an endpoint management system cannot be understated. It ensures that only authorized applications are allowed on devices and that they must be fully up-to-date to be given access.
Implementing Zero Persistent Admin (ZPA) using Azure Privileged Identity Management (PIM) is another major step forward. Just-in-time elevation is enforced through an approval matrix. There are no “service accounts” to be potentially compromised.
Finally, ZTA cannot be properly addressed without addressing the concept of data governance. That being the concept of labelling data as to its sensitivity. You can then use AI tools to detect and prevent unauthorized data movement. This comes into effect without a security analyst staring at a pane of glass.
Last words of advice
I’ve only scraped the surface here. Please try to avoid “boiling the ocean.” Be deliberate and go for the low hanging fruit. You’ll reap the rewards by taking that first step of adopting zero trust. As someone passionate about this subject, I am here to help.
I chose Arctic IT as my employer because I was once a customer. At Arctic IT, we’re about building strong partnerships and giving candid, honest, and expert advice, as well as excellent service. I would not feel good about being here if I didn’t believe that.
My friends, thanks for reading. I look forward to making the Tribal space safer and more effective for you, the Tribal customer. Together, we can take deeper dives into the latest technologies and real-world use cases going forward.
By Bill Travitz, Director Tribal Business at Arctic IT