Zero Trust security in cloud-based simulation

Information Technology (IT) security approaches traditionally attempt to translate perimeter-based security from locked doors, badges, and guns to firewalls and digital access control policies. But this only works on localized IT systems. The state-of-the-art demonstrated how unsuited this approach becomes to security in federated, multi-party, cloud-based simulation environments. Neglecting security controls within such an infrastructure may leave open chances of misbehavior and “honest but curious” behavior. Without internal security controls, parties in the simulation may be able to gather far more details than they should. For instance, a simulation component may subscribe to more simulation data than required for a correct and valid interoperation with other components. In other cases, a component may attempt to instigate information disclosing responses from other components by publishing more simulation data than necessary. In other words, a traditional perimeter-based security approach to a federated cloud-based simulation environment may allow any component to easily exfiltrate, falsify, and/or disrupt information.
In recent years the Zero Trust approach to cybersecurity has gained increasing momentum, pushing the philosophy of “never trust, always verify”, and “assume breach”. In essence, Zero Trust mandates that proof of trustworthiness cannot be derived from simply having access to an environment: it must be possible to verify to the most risk-relevant extent feasible that processes and entities can be trusted continuously and according to a dynamic context.
This paper explores the application of Zero Trust approaches in the context of security in cloud-based simulation. We describe a framework to tailor Zero Trust concepts to the design and implementation of security controls in an HLA based simulation environment and present the results of a field-test of these controls at CWIX 2024 in the context of a larger effort for the NATO Federated Mission Networking.