Zero Trust Framework: How you complete me!
Cybersecurity has always been designed under a lock-and-key, moat around the castle mentality and in today’s fluid and supply-chain driven risk mitigation realm, the focus on perimeter defenses only ensure that external ‘malicious actors’ are kept at bay, but as those actors became more sophisticated, more driven to extract ‘valuable treasure-troves’ of data/information rather than simple high-jinx or acts of mischief and were often state-backed or ‘nation-state’ sponsored. and a new foundational model was desperately needed for the next decade!
With the continued reliance on foreign software/hardware or simply the developmental/acquisition supply chain, it became increasingly noticeable that perimeter defenses would not work against driven adversaries, who often were leveraging compromised systems from those provisional asset pools, thus seemingly having a backdoor around those defenses and worse, appear to be valid systems/users and traffic! Enter the zero-trust framework, where compromise and security gaps are presumed and all resources are untrusted and required to be authenticated, authorized and evaluated prior to access or communication (to or from) in order to protect users, devices, networks, workloads, apps & data.
What is Zero Trust and how is it important?
Zero Trust provides for the inbound and outbound authorization as well as, security assurance from and to all assets and endpoints and end-users or admins including API calls or M2M communications. ZT is the only demonstrated way to provide “inside-out” resilience (against presumed compromise).
The ability to provide evidence of ZT conformance will increasingly limit or enable the ability to provide infrastructure, products and services to the market. Initially, within the Federal space, and then within the EU and UK.
Gartner June 2021- “By 2024, at least 40% of all remote access usage will be served predominantly by zero trust network access (ZTNA), up from less than 5% at the end of 2020.”
And … What are the standards or regulatory reasoning behind it?
Zero Trust has evolved into being a part of the fabric within the industry, as defined within the framework from NIST in SP 800-207 but has also now been made a part of the executive actionary elements à la Executive Order / OMB + FARs / NSA / DoD / DHS-CISA to name a few within the states.
However, it is also becoming clear that within the eurozone, e.g. UK NCSC / EU NIS2 (ENISA) / EU Cyber-Resiliency Act/ IETF, and within the APAC regions, e.g. ACSC, are embracing the evolution as well. It has been evaluated that up to 85% of agencies and organizations intend to deploy some form of the existing Zero-Trust framework(s) within their region in the coming 12-18 months (even if it’s only just one pillar?).
So, what are the key reasons for this evolutionary shift and expeditious drive? The recent wave of devastating supply chain attacks, as well as the pervasive ransomware, both leveraging emergent malware, intractable configuration complexity, and “inside out” exploitation. The trust erosion and disruption are unsustainable and thus ZT has provided what could seemingly be the best opportunity to level the playing field for Cybersecurity efforts to protect the users, devices, and data for both corporations and agencies alike.
Zero-Trust Modeling; what are the key highlights guiding this for the industry?
The current requirements are to demonstrate progress along the complex and disruptive journey toward Zero Trust. However, transitioning to a Zero Trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government. But as was stated in the OMB EO 14028:
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Some examples of required near-term actions by agencies in moving toward Zero Trust:
- Identify all authorized users and their intended access
- Segment networks around applications (not collections of applications, not security posture zones)
- Reach maturity level 1 (IL1) logging requirements (OMB M 21-31)
- Operate dedicated application security testing programs
- Inventory all assets, including all cloud and IoT assets, establishing pervasive monitoring
- Avoid the use of privileged software agents wherever possible (presumed compromise)
Note: All of these are prerequisites to formulating Zero Trust Policies, and implementing Zero Trust
*** Don’t forget our follow-on Episodes coming throughout December! ***
For further Zero-Trust assets on Tech Zone, see: