The clock is ticking on cybersecurity. In today’s volatile world, it’s not a question of if you are at risk of compromise, but when. That’s why the Biden Administration released a strategy to move agencies to a zero-trust security model by the end of fiscal year 2024.
The National Institute of Standards and Technology (NIST) defines zero-trust architecture (ZTA) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
ECS’ Dr. Shayla Treadwell, Vice President of Governance, Risk, and Compliance, and William Rankin, Director of Cybersecurity Governance and Compliance, met to discuss the new memo and its implications on federal agencies and beyond.
Vice President, Governance, Risk and Compliance
Director, Cybersecurity Governance and Compliance
Q: After reading the recent memo, people may not come away with a clear-cut understanding of what zero-trust architecture is. Can you put it plainly for us?
Shayla Treadwell: The first thing to understand is that zero trust isn’t some type of software. It’s a strategy. Zero trust is a cohesive approach to looking at your cybersecurity system, and it enables capabilities to secure organizations using the key principle of ‘least privilege access.’
Least privilege access assumes that no user or application should be inherently trusted. Instead, trust is established based on the user’s identity and context. So, we look at their location, the service being requested, or the security posture of the endpoint. Zero trust also relies on strict user authentication. When implemented well, it improves protection against cyber threats by reducing the attack surface and limiting the impact of cyberattacks.
William Rankin: To understand ZTA, you need to go back to the name. Put simply, we don’t trust the digital you. Your company’s digital persona is suspect. No user, packet, interface, or device, whether internal or external to the network, should be trusted until authenticated.
Q: Is zero trust a new thing?
Shayla Treadwell: The concept of zero trust isn’t new, but it hasn’t been a widely used strategy until now because it’s harder to adopt. Zero trust has also become more necessary now with the increase in remote working environments. Using zero trust, you can allow secure remote access to organizational data, applications, and services based on specific control policies, while providing controls for authentication and access. You can also establish additional visibility to help monitor for potential data loss, compromised networks, and malicious activities.
Q: Why did the federal government put this memo out? Why now?
Shayla Treadwell: If you look at any cybersecurity news, you’ll see that today’s threat landscape is more hostile than ever. As these threats escalate, safeguarding critical assets becomes more and more difficult.
We’re also seeing increased saturation of cloud-hosted environments and easy access to critical data. As organizations continue to embrace and depend on new ways of doing business through cloud computing, virtual workspaces, and enhanced use of internet-of-things (IoT) devices, this volatile and ambiguous space creates even more risks. Cyber criminals are taking advantage of these changes by holding hostage the sensitive data that organizations deem most valuable.
Q: What makes zero trust better than the status quo?
William Rankin: No security strategy will ever be faultless, and it would be difficult to make a blanket statement that zero trust is “better.” Organizations need to determine what cybersecurity practices are right for them to manage risks to acceptable levels. One way to summarize the objective of zero trust is “never trust and always verify.” There’s a lot to unpack within that simple statement. You can achieve this through various avenues and by building on cybersecurity practices that are already in place.
Would I say zero trust is the pinnacle of a desired cybersecurity posture? It’s not a bad target to aim for. Zero-trust strategies reduce the attack surface and can limit the impact of a cyberattack. This results in reduced response time and cost, including recovery from data breaches. Zero trust focuses on the implementation of principles to ensure that every access request is scrutinized.
Q: How is zero trust different than other cybersecurity strategies?
Shayla Treadwell: The main difference between zero trust and other access controls modes is “default allow” versus “default deny.” Though zero trust is different from other access control models, such as local area networks (LANs), firewalls, virtual private networks (VPNs) and network access control (NAC), it does not mean that those solutions and technologies are unnecessary. A layered security strategy can make it easier to transition to a zero-trust strategy.
William Rankin: One of the great things about zero trust is that the strategy can build on the good cybersecurity practices that have been around for years. It shouldn’t require a rip-and-replace of an organization’s already established cybersecurity program.