Zero Trust: Ease of Use and Flexibility Restored to Regulated Research
Just prior to the COVID-19 pandemic, our college launched the Carolina Enclave for Secure Research to provide its researchers with a self-contained environment for Department of Defense projects. The requirements for our regulated research enclave were simple: researchers needed a NIST SP 800-171 compliant environment to edit Controlled Unclassified Information (CUI) documents and collect data. With the sudden pivot to work from home during the pandemic, we had to find a way to enable those working on regulated research projects to safely browse the web, use collaborative SaaS tools like Office 365 and Teams, and access resources. Post-pandemic, our regulated research users needed flexibility. Researchers work out of different locations: on site at a college lab or office, at home, or when traveling to conferences. We started redesigning the regulated research environment with these new requirements and along the way realized we were implementing a Zero Trust Architecture. This talk describes our journey and uses the new NIST Special Publication 800-207 (Zero Trust Architecture) to demystify and sort out the elements of Zero Trust from the marketing buzzwords. We identify the roadblocks we experienced along the way, as well as the benefits of Zero Trust. The Zero Trust paradigm has taken our CMMC/NIST SP 800-171 implementation and restored much of the flexibility and ease of use that our users expect, allowing the users to concentrate on the research and not the environment.