Skip to main content
Implementing Zero Trust Architecture for FedRAMP Solutions

Implementing Zero Trust Architecture for FedRAMP Solutions

Implementing Zero Trust Architecture for FedRAMP Solutions

As Government data and resources are distributed across multiple clouds and on-premises environments, protecting them has become overly complex and has challenges at every level of the solution. Access from anywhere, at any time, from any device to support the organization’s mission, is a must have in today’s solutions. Data is created, stored, transmitted, and processed across multiple organizational boundaries, which are distributed across multiple clouds and on-premises environments to meet the ever-changing mission.

Data and resources can no longer be protected at the perimeter of your boundary, and you cannot just trust all users, devices, applications, and services that need access to your data. A zero-trust architecture (ZTA) approach, can enable secure authorized access to your data, applications and services whether located in-the cloud or on-premises. We have been driven to work in a hybrid work environment, with your users and partners needing access from anywhere on any device.

ZTA approach verifies the context available at access time. This includes both static user information; and dynamic information such as geolocation and credentials, the sensitivity of the data and resource, access anomalies, and whether the request is allowed based on the associated business rules. If the rules are met, a secure session is created to protect all data transferred to and from the resource. A near-real-time, risk-based assessment and anomaly detection and rules-based evaluation are performed to establish and maintain the access. A ZTA can also protect organizations from non-organizational resources that their users and applications may connect to; helping to stop threats originating from outside of the organization’s control.

Tenets of Zero Trust

This is where the Federal Risk and Authorization Management Program (FedRAMP) can come into help. Many FedRAMP Authorized services are designed and operated leveraging the ZTA approaches and use the basic tenets of Zero Trust in their (IaaS, PaaS, SaaS, SOCaaS, etc.). Many FedRAMP ZTA are designed and deployed with adherence to the following zero trust basic tenets:

  1. All data sources and computing services are considered resources.

    FedRAMP leverages strong boundary guidance and inventory management for solutions to obtain an Authority-to-Operate (ATO).

  2. All communication is secured regardless of network location.

    FedRAMP leverages strong boundary guidance and ensures all in boundary and remote communications.

    • Access decisions are enforced to key internal managed interfaces within the system including publicly accessible system components,
    • Information flow is controlled by business rules and anomaly detection,
    • System Partitioning is designed in from the start and enforced by business rules and anomaly detection,
    • Session Authenticity and Termination is enforced by business rules and anomaly detection,
    • Encrypted and integrity checking using TLS transport connections,
    • Monitored to detect prohibited or suspicious activity,
    • External system use is controlled and approved.
  3. Access to individual enterprise resources is granted on a per-session basis.

    FedRAMP leverages strong Access Control and Identity and Access Management guidance for all FedRAMP Solutions.

    • Account management authorizes access to the system based on valid access authorization or intended system usage,
    • Least privilege is enforced by business rules and anomaly detection,
    • Access is enforced by business rules and anomaly detection,
    • Separation of duties ensure that permissions and authorization to access any given resource conform with the principle of separation of duties,
    • Information flow controls the flow of data within the system and between connected systems.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.

    FedRAMP solutions protect resources by defining what resources it has, who its members are, and what access to resources those members need by using:

     

    • NIST Definition of Cloud Computing deployment models to determine the types of security controls:
      • Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers,
      • Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns,
      • Public cloud. The cloud infrastructure is provisioned for open use by the general-public,
      • Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures but are bound together by standardized or proprietary technology.
    • Identification and authentication to ensure that subjects are authenticated commensurate with the risk of the transaction,
    • Device identification and authentication determines the requirements for identification and authentication of organization-defined device types, including devices that are not owned by the organization,
    • Identity proofing calls for accepting externally proofed identities, a fundamental component of managing federated identities across agencies and organizations.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

    FedRAMP solutions collects and consolidates security information and security event data from many sources, correlates and analyzes the data to help detect anomalies and recognize potential threats and vulnerabilities, and logs the data to adhere to data compliance requirements.

    • All component logs and all activities are collected and organized in a centralized security information and event management (SIEM) tool in accordance with policy and regulations,
    • Collects security and event information from many components in accordance with policy and regulations,
    • Incident handling and monitoring, leverages the data for analysis to understand attack targets and methods and the impact of cybersecurity incidents,
    • Vulnerability monitoring and scanning at all components at all levels.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

    FedRAMP solutions manage access to resources by performing user and device authentication and using identity, role, and access attributes, to determine what the users are authorized to access.

    • Account management defines the types of accounts allowed and specifically prohibited for use within the system, authorized users of the system, group and role membership, access authorizations, and assignment of organization-defined attributes for each account, by performing user authentication,
    • Access enforcement authorizations for logical access to information and system resources in accordance with applicable access control policies,
    • Information flow controls the flow of data within the system and between connected systems,
    • Uses multi-factor authentication that is verifier impersonation resistant for all users and administrators,
    • Leverages federated identity encompasses the traditional identity credential and access management (ICAM) data and may include non-enterprise employees.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

    FedRAMP solutions continuously monitor, measure, and validate the effectiveness of their cybersecurity controls.

    • Security validation continuously monitors, measures, and validates the effectiveness of cybersecurity controls, thereby enabling the organization to continuously improve the detection processes,
    • Network Discovery helps identify unknown and/or unexpected devices and activity that may be indicative of suspicious events to detect potential cybersecurity events,
    • Leveraging EDR/EPP detects and disables malware, viruses, and other signature-based threats,
    • Pushes enterprise applications and updates to devices, enables users to download enterprise applications that they are authorized to access, tracks user activity on devices, and detects and addresses security issues on the device,
    • Configuration management to ensure that the systems are compliant with organizational policy in terms of having the expected baseline installation and configuration of software and firmware.

At InfusionPoints, we understand the unique challenges facing cloud service providers and Federal Agencies, and we are here to help. Our team of experienced security professionals specializes in helping companies achieve compliance with federal regulations such as FISMA and FedRAMP.

Here's a brief overview of our services:

  • Federal compliance guidance and advisory services,
  • Zero Trust Gap assessments,
  • Zero Trust Architecture Development,
  • Zero Trust Virtual Network and Security Operations Center services,
  • FedRAMP-compliant cloud architecture build, manage, and defend services.

 

References:

M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

NIST.SP.800-207.pdf

Planning for a Zero Trust Architecture

Implementing a Zero Trust Architecture (2nd Preliminary Draft) SP 1800-35 (Draft)

Implementing a Zero Trust

Authors Name