Nearly six months after President Joe Biden signed a far-reaching executive order designed to revamp how the U.S. government approaches cybersecurity and crafts defenses against attacks, some aspects of this security order are coming into focus. Get ready to hear a lot more about "zero trust."
As the federal government prepares to start adopting the concepts and technologies outlined in the executive order, this shift in cybersecurity priorities is almost certain to have wider implications for many private-sector enterprises and their IT and security teams.
One of the biggest implications of this is the adoption of zero trust as a more secure way to protect networks, assets and data from nation-state as well as ransomware attacks.
On Sept. 7, the Office of Management and Budget and the U.S. Cybersecurity and Infrastructure Security Agencyreleased a detailed set of guidelines, as well as specific deadlines, for when executive branch departments and agencies must adopt zero trust architectures. The memos also ask each department or agency to submit plans and budget proposals for implementing this approach.
As the Biden memo makes clear, zero trust can act as a better approach to countering the types of cyber incidents that have previously targeted federal government agencies.
"Zero trust architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained," according to the executive order. "The zero trust architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity."
As federal agencies push toward zero trust, state and local governments, as well as many enterprises, are likely to follow this model, said Timur Kovalev, CTO at security firm Untangle.
“By mandating newer security models such as zero trust for federal agencies, the recent executive order sets a precedent for businesses to follow,” Kovalev told Dice. “Having concrete, actionable guidelines in an executive order from the highest government authority will influence corporate leadership and provide a set of standards and an example on which to base their zero trust policies.”
Working Toward Zero Trust
While the concept of zero trust has been around for about a decade (former Forrester analyst John Kindervag first coined the term), many organizations and government agencies are only starting to take their first steps toward implementing parts of the concept.
“Traditionally, our network architectures are hinged on the idea of 'trust everything inside and trust few-to-none outside the network,’” Momodou Jaiteh, senior application security consultant at nVisium, told Dice. “While this model has served us to some extent in the past, we are increasingly seeing more and more gaps that have led to a number of high-profile breaches. These gaps continue to widen as we embark on more open architectures—such as the cloud and microservices—where the boundaries are much more blurred.”
What zero trust does promise to do is re-enforce principles of least privilege and defense-in-depth, which can limit the number of breaches, but also reduce lateral movement by attackers if they do manage to bypass the initial security tools and establish a presence within a network, Jaiteh said. Now with the federal government embracing these techniques, the concept is only likely to expand.
“The Biden administration's effort to advocate for—and prioritize—zero trust adoption in the federal government and the private sector at large is extremely significant. Although the private sector is starting to hone in on zero trust architectures, it is still in its infancy in terms of adoption rates,” Jaiteh noted. “The Biden administration has taken the necessary first step and I hope to see state and local governments follow suit, in addition to more private sector organizations taking a similar trajectory.”
At the same time, zero trust helps address some of the issues that organizations, whether public or private, face when shifting more of their infrastructure to the cloud. This requires embracing tools and techniques such as multifactor authentication, micro-segmentation and network access, said Michael Isbitski, technical evangelist at Salt Security.
“Technologies that enable zero trust have gained traction as organizations shifted their computing from data centers to cloud environments and workforces became increasingly remote,” Isbitski said. “New approaches and technology were needed to protect network communications of workloads as services became highly distributed, cloud-hosted and ephemeral.”
What to Know
As zero trust moves from a high-minded concept to a new reality, IT and security professionals need to study up. What can make zero trust daunting, however, is that no organization truly achieves zero trust and there is always more work and adjustments that need to be made.
There are, however, some solid starting points such as the National Institute of Standards and Technology’s Special Publication SP 800-207, which details the agency’s view of zero trust as well as various components of the architecture and possible ways to deploy it as a defense. There is also the original Forrester white paper on zero trust, said John Dickson, vice president at security consulting firm Coalfire.
“The second recommendation would be to understand where your agency is on the zero trust journey,” Dickson told Dice. “How many of the concepts are in production? Are artifacts of the zero trust strategy being considered on the IT roadmap? Understanding the key concepts and the starting point for zero trust is the starting point for organizational transformation. As the cliché goes, it will be a marathon, not a sprint.”
Kovalev of Untangle noted that those interested should brush up on skills concerning knowledge of networks and micro-segmentation, authentication, trusted endpoints, and access controls as well as user and system attribution to help understand how access to sensitive data and systems is controlled and regulated.
“While the concept is clear, and the purpose of zero trust is becoming well-understood, an issue now is that it’s a term that is interpreted differently by both those trying to implement it and vendors that are moving fast to be able to state that they provide it,” Kovalev said. “As organizations move forward to take action on this executive order, they will need to look at how various solutions are providing zero trust, whether it provides a full end-to-end zero trust solution and what it takes to implement it.”
Kovalev also warned that zero trust can also consume time and resources and will alter how some view security within their organization.
“Zero trust can be a time-consuming initiative to implement with challenges ranging from just knowing where to begin—auditing and planning—to technical issues with legacy systems, and getting internal buy-in for a process that often isn’t popular over lost privileges,” Kovalev said.