In response to the recent onslaught of headline-grabbing security breaches, such as the attacks on SolarWinds and the Colonial Pipeline, the U.S. federal government is taking decisive steps toward a zero trust future. In May, the Biden Administration issued a cybersecurity executive order that, among other provisions, mandates that all federal agencies develop a plan for implementing a zero trust architecture. President Biden’s order asserts that the federal government “must lead by example.” Is it evitable that the private sector will follow?
Zero Trust Architecture
Zero trust is a cybersecurity model that operates under the principle of, “never trust, always verify.” The traditional security approach prioritizes protecting the network perimeter against external threats by keeping them outside the firewall, while assuming users and devices inside the network can be trusted to access system resources. Conversely, the zero trust model assumes that potential threats are pervasive throughout the network. This change in perspective shifts the focus from protecting the network boundary to protecting its assets. In a zero trust architecture, tactics such as least-privilege access, multi-factor authentication, microsegmentation, data encryption and continuous monitoring for anomalous behavior are used to protect data and resources independently from the wider, untrusted network.
To Trust or Not to Trust
From a zero trust perspective, the diffuse nature of modern networks, in which data and applications are often spread across multiple cloud systems accessible from anywhere, has made hardened network perimeters unreliable. Since breaches are assumed, limiting exposure is a natural and necessary response. Zero trust principles reduce an organization’s attack surface by placing barriers between system resources to prevent lateral movement within the network once the perimeter is breached. This approach also enables organizations to target limited security resources to protect their most critical assets.
However, zero trust may not be a feasible, or even desirable, direction for all organizations. Many organizations rely on legacy systems that don’t support the rigorous authentication required for zero trust. Furthermore, there’s a risk that invasive zero trust policies will drive employees to use personal devices to protect their privacy and productivity, resulting in shadow IT.
Are Zero Trust Requirements on the Horizon?
In August 2020, NIST published SP 800-207, Zero Trust Architecture, which provides guidelines for organizations moving to a zero trust model. NIST’s National Cybersecurity Center of Excellence (NCCoE) is building upon that blueprint with its Zero Trust Architecture project: In partnership with leading industry vendors, NCCoE is developing several practical approaches to a zero trust architecture based on the SP 800-207 framework and industry best practices. It’s common practice for organizations to hold themselves—and their vendors—to NIST guidelines as security standards, so, even if your organization isn’t directly impacted by Biden’s executive order today, someday trust may no longer be an option.
Is zero trust the right direction for your organization? MBL Technologies offers comprehensive cybersecurity services that can help you understand the zero trust framework and whether it makes sense for your environment.