If yesterdays’ networks were like houses where there are only a handful of entrances and a handful of people with keys to those entrances, “today’s networks are more like apartment buildings, with constant internal traffic offering potential access to each unit,” according to The Defense Innovation Board’s (DIB) recent report, The Road to Zero Trust (Security).
Government networks continue to grow and are increasingly complex with a myriad of desktops, laptops, mobile devices and apps relying on them. Adding more complexity to the mix are hybrid IT environments in which agencies manage on-premises IT systems that must interact with workloads in multi-cloud infrastructures. Multi-cloud infrastructure environments open new challenges as security operation teams struggle to manage a highly fragmented set of security and compliance controls. This new reality is stretching the traditional perimeter-based cyber security approaches to the breaking point.
Multi-cloud infrastructure environments open new challenges as security operation teams struggle to manage a highly fragmented set of security and compliance controls.
“Networks have become widely dispersed across a complex web of connections to outside servers and other networks, with larger numbers of ‘tenants’ and a growing number of entry/exit points,” the DIB report states. Perimeter security is more expensive now because the attack surface has expanded and more firewalls with complex filtering capabilities are required to protect networks.
Additionally, cyber criminals and adversaries are always working to come up with creative methods of getting around perimeter security. Social engineering attacks that manipulate users into giving away their credentials is a primary path by which adversaries gain access to IT assets.
What’s more, as the DIB report points out, security of the network continues to decrease as regular usage creates new vulnerabilities. For this reason, most security experts say agency managers should assume that the network is compromised and take a more targeted approach to security.
How Zero Trust helps solve today’s perimeter security challenges
Zero Trust is based on the principle that organizations need to proactively control all interactions between people, data, and information systems to reduce security risks to acceptable levels. What that means is with Zero Trust, no one gets a free pass anywhere on the network.
As Symantec’s 2019 Cloud Security Threat Report notes, “Old-school security approaches authenticate and determine trust for users at the network’s edge, allowing entrance to those who meet the criteria. Zero Trust models a micro-segmented approach with granular protections applied to the data, and controls implemented at all points of access, including mobile devices, cloud workloads and corporate networks.”
Data within the micro perimeters is classified based on sensitivity, and the architecture accounts for continuous change, allowing access rights to be modified based on behavioral risk scores and device type, among other factors.
Giving blind trust to users and devices inside the perimeter of a network is not sustainable and will continue to put national security information and operations at risk until it is resolved, the DIB report notes.
For these reasons, the concept of a Zero Trust-based approach is gaining credence in the federal IT community. Most notably, the Air Force has identified Forrester’s Zero Trust eXtended Framework as one of the pillars of its Enterprise IT as a Service initiative. Also, the Federal CIO Council asked ACT-IAC to provide a whitepaper on Zero Trust and its potential role in the federal government, and the DIB has provided a detailed report on how the defense community can apply Zero Trust and a defense-in-depth security approach to protect internal networks and those that extend to remote locations and the battlefield.
Strong Data Foundation
The purpose of a Zero Trust architecture is to protect data. Consequently, agency managers need a clear understanding of their data assets before they can successfully implement a Zero Trust architecture, according to ACT-IAC. To that end, agencies need to categorize their data assets in terms of mission criticality and use this information to develop a data management strategy as part of their overall Zero Trust approach. Moreover, the federal government’s push toward IT and network modernization gives CIOs the opportunity to perform network audits to gain better insight into how the many apps, systems and mobile devices rely on their current networks to better understand how to map them to future Zero Trust-based networks.
Zero Trust is the security model of the future. It is imperative for federal agencies to prepare for this new world of cyber security now.