Trust in Cyberspace? Not on Our Watch

In light of three of the nation’s most dangerous cyber-attacks, many organizations are rethinking their approach to cybersecurity. These attacks include malicious code hosted on a contractor’s website that attempted to poison the water supply in a Florida water treatment plant. A compromised password launched the Colonial Pipeline attack causing a major fuel shortage in the Eastern United States. An error in a network server configuration change opened the door to malicious code stealing source code and users’ financial data from the streaming service Twitch.tv.

These attacks can disrupt the delivery of essential services the public relies on. At the Department of Veterans Affairs (VA), similar attacks could harm the vital care and benefits our nation’s Veterans receive. Millions of Veterans depend on VA for access to healthcare, benefits, and memorial services and expect their interactions to be reliable, secure, and private.

To stay ahead of persistent and ever-changing cyber threats, VA is implementing a Zero Trust Architecture, which will enhance the way we protect VA systems, networks, and data. Zero Trust is the first line of defense to keep pace with today’s dynamic, relentless, and increasingly sophisticated cyber threat environment, because regardless of user, device, or location, with Zero Trust, every action is constantly re-authenticated and authorized.

What is a Zero Trust Architecture?

Traditional security strategies assume that a secure network “trusts” users it successfully authenticates, typically with a username and password. Zero Trust is the opposite. There is no “trust” given to a user until multiple authentications are complete. In this way, Zero Trust functions as a more modern cybersecurity strategy and framework by embedding security measures throughout the IT architecture rather than at a single point. As a result, Zero Trust better prevents, detects, and responds to attempted data breaches. Implementing a Zero Trust Architecture supports an evolving set of robust security standards and practices that changes VA’s cyber defenses from static, network-based  secure perimeters to dynamic, multifaceted protections based on users, devices, networks, data, and applications.  

What is a Secure Perimeter?

A secure perimeter is the boundary that must be crossed to access IT systems, networks, and data. Imagine VA’s network as a castle. Most invaders can’t cross our moat (VA’s security defenses) to enter the castle.  “Trusted users” are people or products (end-users or devices) who can enter once we confirm they won’t attack the castle (VA’s network). Zero Trust assumes all who enter VA’s “castle” are potential threats, so the architecture must:

• Assume that the network is always in danger
• Accept that threats are always present
• Know that the environment of a network locality is not enough to trust the network
• Authenticate and authorize every device, user, and network flow
• Implement dynamic policies calculated from as many data sources as possible

VA’s Approach

Our mission is to secure VA’s networks, systems, and data while allowing legitimate access to authorized users. Our approach does not grant implicit trust to any user or device based on a single successful login to our system. Our strategy assumes VA’s vast network is under constant attack which we protect using defenses that ensure invaders do not succeed.

Our Zero Trust core principles are:

• Never trust; always verify: Every time a user, device, or application tries to make a new connection attempt, it is rigorously re-authenticated and authorized. We do not automatically trust connections from inside our network.
• Enforce least privileged access: We limit users’ access to only those applications and data they need to accomplish their role within the VA. For example, that means Veterans Benefits Administration accounting staff can only access patient data from a VA medical center if their job requires it.
• Assume breaches: VA’s Zero Trust framework assumes any network access could be the first sign of a security breach. This premise allows our security teams to plan for worst-case scenarios to build robust security guidelines and incident response plans. So, when attacks do occur, our responses are rapid and well-practiced.
• Enforce strong multifactor authentication: Requiring two or more factors for identity authentication helps keep accounts secure. Based on their role, VA staff login at minimum with a Personal Identity Verification card, a token, and a PIN. VA then continuously monitors and validates that users belong in the network.

Why Zero Trust 

VA’s Digital Transformation efforts are introducing new technologies that benefit users but that also create new pathways for intruders to attempt attacks against our systems and data. The President’s executive order (EO 14028) was a catalyst for VA to adopt Zero Trust Architecture as a strategic driver for modernizing cybersecurity across all federal agencies. Our new vision for Security Excellence dovetails seamlessly with the executive order. Our strategy focuses on compliance and VA’s commitment to modernizing our security posture by following these principles in existing and emerging capabilities.

Zero Trust Benefits Everyone

Adopting a Zero Trust Architecture is not a simple on-or-off switch. It requires shifting organizational security mindsets toward security principles applied to a modern IT infrastructure.  Though there is much to be done, we’ve made progress in implementing a Zero Trust Architecture which is guiding our modernization and cybersecurity efforts. These efforts include enforcing strong multifactor authentications for all users and delivering web applications with strong authentication hardened against phishing attacks.  

Zero Trust is at the heart of VA’s cybersecurity strategy and helps ensure we protect our critical assets, especially Veterans’ data, to avoid any incident that could break our sacred promise to Veterans. We are modifying our applications and services to be Zero Trust enabled, training our workforce to think about cybersecurity first, and updating our infrastructure to support leading-edge security and protections. Ultimately, Zero Trust adds enhanced security to our outreach and services allowing Veterans safe access to the care, benefits, and services they’ve earned. We strive to make VA a government best example of this security initiative in our mission to protect and deliver IT products and services that honor the faith and trust VA staff, our Veterans, their families, and their caregivers’ have in the VA.