Making Zero Trust “Trustworthy”

A little over a year ago, I wrote an?article about assurance that attempted to make a convincing argument as to why this concept is so critical to the future of digital technologies in a world with complete dependence on these technologies. Much has transpired since then—we have a new White House National Cybersecurity Strategy,?a new OMB cybersecurity policy outlining a Federal Zero Trust Architecture Strategy,?a new DHS Zero Trust Maturity Model,?and a new DOD Zero Trust Strategy. These policies and strategies provide a clear focus that centers on the implementation of zero trust concepts and zero trust architectures (ZTA) for information technology (IT) and operational technology (OT) systems. That’s a good thing and we should move out rapidly toward a full implementation of ZTAs. However, as we make great strides on improving the capability to defend our critical systems from the inside out as well as from the outside in, we should also identify additional capabilities that are needed to enhance the benefits of ZTAs, for example, by addressing the issue of trustworthiness and assurance in the development of systems [1].

ZTAs Are Really Good at What They Are Designed to Do

ZTAs collapse the traditional static system perimeters and implement a variety of security features to achieve strong authorization, authentication, and access controls on individual system resources. These features provide architectural flexibility and a more dynamic and consistent method of protecting organizational assets. ZTAs are designed and implemented with adherence to a set of zero-trust tenets [2]. While ZTAs provide a highly effective access control regimen for systems (writ large) and are excellent at maintaining tighter control over who has access to organizational resources and under what conditions, they are largely silent on the assurance aspects of the security features employed in the architecture. This impacts the overall?trustworthiness?of the system and the trustworthiness of the hundreds and thousands of its constituent software, hardware, and firmware components. Most of these system components are produced by commercial providers — manufacturers, developers, vendors, and integrators — where innovation, cost, and speed to market are the primary drivers. But from the consumer's perspective, many important questions remain.

• How are the individual system components designed?
• What development processes are used to build the components?
• What security features are incorporated into the components?
• How much software is imported through untrusted code libraries?
• How are the components integrated into the system as a whole?
• How are components tested/evaluated for correctness and effectiveness?
• Can the system be trusted to perform as intended?
• Are the components free from common vulnerabilities?

Trustworthy Systems

"The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is and to the consequences we will incur if that trust is misplaced."?Executive Order 14028, Improving the Nation's Cybersecurity

Trust is a belief that an entity meets certain expectations and can, therefore, be relied upon. A trustworthy entity requires sufficient evidence to support its trustworthiness claims. Thus, trustworthiness is demonstrated based on evidence that supports a stated claim or judgment of being worthy to be trusted [3] [4] [5]. Trust in an entity can occur without a basis for or knowledge of the entity’s trustworthiness. This may occur because:?

• There is no alternative (e.g., an individual trusts the components involved in an Internet transaction without knowing anything about the components),
• The need for trustworthiness is not realized and occurs de facto, or
• Other reasons (e.g., miscommunication or misrepresentation of evidence) [6]

Since the decision to trust an entity is not necessarily based on a judgment of trustworthiness, the decision to trust an entity should consider the significance (i.e., consequences, effects, and impacts) of trust expectations not being fulfilled. The criteria to grant trust are used to determine the trustworthiness of an entity. Trust granted without establishing the required trustworthiness is a significant contributor to risk.?

Trustworthiness Is Based on Assurance

Assurance is the grounds for justified confidence that a claim or set of claims has been or will be achieved [7]. Justified confidence is derived from objective evidence that reduces uncertainty to an acceptable level and, in doing so, reduces the associated risk. Evidence is produced by engineering verification and validation methods. The evidence must be relevant, accurate, credible, and of sufficient quantity to enable reasoned conclusions and consensus among subject-matter experts that the claims are satisfied [1]. The needed evidentiary basis for such judgments derives from well-formed and comprehensive evidence-producing activities that address the requirements, design, properties, capabilities, vulnerabilities, and effectiveness of security functions. These activities include a combination of demonstration, inspection, analysis, testing, and other methods required to produce the needed evidence. The evidence acquired from these activities informs reasoning by qualified subject-matter experts to interpret the evidence to substantiate the assurance claims made.

"A meaningful claim of trustworthiness cannot be based on an isolated demonstration that the system contains a protection capability assumed to be effective or sufficient. Instead, conclusions about a protection capability must have their basis on evidence that the system was properly specified, designed, and implemented with the rigor needed to deliver a system-level function in a manner deemed to be trustworthy and secure [3]."

Summing It Up

Discussing the trustworthiness of systems isn’t an esoteric concern. The systems that we trust for everything important in life — health, finance, national defense, social, government, manufacturing, energy, and elections must be trustworthy. We can trust them blindly, out of necessity, or we can trust them because they’ve earned that trust with well-defined evidenced-based assurance arguments. The concept of assurance plays a central role in understanding the trust we place in a given system and can ensure we implement a broad-based protection strategy capable of defending critical systems from determined adversaries.

As long as we continue to rely on commercial digital technologies to underpin the systems that are deployed in the critical infrastructure and in other mission and business essential areas, we will need greater transparency and assurance that these technologies are built correctly and are fit for purpose.?Simply put, we need things we need to trust to be trustworthy.

A comprehensive and effective protection strategy requires well-defined, security features such as those implemented in ZTAs and the associated assurance that those features and others will perform as intended under the stresses of ongoing cyber-attacks and other threats [1] [8]. Meaningful claims of trustworthiness must be backed up by the assurance evidence needed to make those claims credible. Otherwise, we will continue to fly by the seat of our pants and the fabric is getting a little thin.

A special note of thanks to Matt Scholl,? Mark W. , and? Jeff Williams , long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.

[1] Ross R, Winstead M, McEvilley M (2022) Engineering Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Rev. 1. https://doi.org/10.6028/NIST.SP.800-160v1r1

[2] Rose S, Borchert O, Mitchell S, Connelly S (2020) Zero Trust Architecture. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-207. https://doi.org/10.6028/NIST.SP.800-207

[3] Neumann P (2004) Principled Assuredly Trustworthy Composable Architectures, CDRL A001 Final Report, SRI International, Menlo Park, CA.?https://www.csl.sri.com/users/neumann/chats4.pdf

[4] Schroeder MD, Clark DD, and Saltzer JH (1977) The Multics Kernel Design Project. Proceedings of Sixth ACM Symposium on Operating Systems Principles.?https://web.mit.edu/Saltzer/www/publications/rfc/csr-rfc-140.pdf

[5] Levin T, Irvine C, Benzel T, Bhaskara G, Clark P, and Nguyen T (2007) Design Principles and Guidelines for Security, Technical Report NPS-CS-07-014. Naval Postgraduate School. https://nps.edu/web/c3o/technical-reports

[6] Neumann P (2017) Fundamental Trustworthiness Principles. SRI International. https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2017mit-cybersecurity-cheri-princ-web.pdf

[7] International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (2019) ISO/IEC/IEEE 15026-1:2019, Systems and software engineering – Systems and software assurance – Part 1: Concepts and vocabulary.?https://www.iso.org/standard/73567.html

[8] Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2021) Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. Rev. 1. https://doi.org/10.6028/NIST.SP.800-160v2r1

#PrincipledAssurance?#ZeroTrust?#TrustworthySystems?#Transparency?#SecurityEngineering #SecureByDesign?#SystemResilience?#Complexity?#NIST800160Vol1?#NIST800160Vol2?#NIST800207 #AttackSurface