Zero trust architecture for scientists

GC scientists handle mass amounts of crucial research data, sometimes contained in especially large or unique file formats. They also share this information, which can be classified as protected. While some of their collaborators are government employees based in Canada, others are part of private industry, academic institutions and could be located in other countries. With these needs in mind, scientists require innovative technical solutions to complete their work efficiently. At the same time, Canadian scientists' work can be a high-value target for threat actors across the globe. Cyber security is a top concern for IT solutions in science. This is why Canadian science was an ideal space to begin testing zero trust architecture (ZTA) concepts.

What current projects involve ZTA and federal science?

Shared Services Canada (SSC) has worked with the federal science community to deploy ZTA proofs of concept (PoC). These PoCs aim to increase the knowledge of how zero trust capabilities could be implemented and integrated. They may change the way SSC manages and delivers IM and IT services for the GC, as well as how it is managed in partner and client organizations, in support of SSC's transition to modern cyber security.

The first PoC, in partnership with the National Research Council, compared two tools, Agilicus, an Innovative Solutions Canada program participant, and an open source application called Pritunl. These solutions allow centralized user authentication across a variety of protected applications and services. This PoC also helped highlight gaps and key areas to focus on, such as the need for more robust GC identity management.

The second PoC explored the ability to provide external collaborators with secure access to GC systems. This will help achieve some of ZTA's expected benefits for scientists while also informing the Cyber Security Services Roadmap. Upcoming PoCs will investigate the ability to leverage behavioural or biometric data to deliver continuous authentication for users.

What are the benefits of ZTA for science?

Solutions for science need to allow for easy information sharing while still protecting sensitive data and research. These two needs can sometimes conflict, but they are equally important considerations.

A zero trust approach is the ideal way to address both of these concerns simultaneously. For example, by limiting user access to only content they require (a concept known as "least privileged access"), ZTA would also limit the amount of sensitive data that a potential threat actor could access. Scientists can control and restrict access to sensitive information and assets on a need-to-know basis when sharing with other researchers.

ZTA features continuous monitoring, alerting and verification of the user's identity. As a result, organizations and scientific communities can interact, share and exchange information with authorized collaborators, reducing the risk of data breaches and other security incidents.

ZTA could also allow scientists to access non-standard resources securely if they have the need and are authorized to do so. Scientists could be provided with authority to directly access scientific equipment in laboratories and in the field. They could also connect with the international scientific community through the National Research and Education Network. Without the additional protection offered by a ZTA model, these actions would present greater potential risk for the entire scientific community.

What does all of this mean for GC departments outside of the science community? The insights gained from the PoCs are being used to plan for the integration of future solutions to strengthen cyber security services delivered by SSC.