Search

Can zero trust really protect government from cyberattacks? - GCN.com

kotortopo.blogspot.com
security (issaro prakalung/Shutterstock.com)

INDUSTRY INSIGHT

Can zero trust really protect government from cyberattacks?

It’s clear from the recent spate of cyberattacks on government networks, be it the SolarWinds incident or the Russian intelligence breach of the Treasury and Commerce Departments, our adversaries are finding new ways to infiltrate government systems. Once considered impenetrable, the U.S. now lags behind in cyberwarfare.

As Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, recently explained to lawmakers on the Homeland Security and Government Affairs Committee, “Our adversaries have advanced, they are no longer using the same infrastructure to target us repeatedly.” It is imperative that we adapt our security practices.

One of the approaches under discussion is zero trust.

Zero trust is based on the assumption that everyone, inside or outside the network, could be a threat. It is the strategy of skeptics, which in the field of security, pays significant dividends.

In the current climate though, zero trust has become a bit of a buzzword. It’s important to examine how the term is being deployed and what the connotations are. While the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence provide specific definitions of what’s considered zero trust architecture, the basic idea calls for a single authenticated source of user identity combined with additional context, like policy compliance.

Practically speaking, zero trust involves adopting very granular, rigid user identification policies, strict authentication, role-based access, time and/or location access, and a host of other conditions that define when, where and how employees can access systems and digital assets. Data and resources are segmented down to the personal level. There is a new level of control so that any threat, even an internal one, can be contained.

How zero trust differs from previous approaches

Zero trust is a far cry from the guiding security principles that have been in place for decades. Frederick the Great once said, “He who defends everything, defends nothing.” This maxim led to a perimeter-based approach, where defenses were erected to safeguard what was inside the perimeter walls, protecting the network from any external threat.

That approach works great as long as agencies can absolutely guarantee that no threat can sneak in -- and that they have no bad actors within their organization. This is simply no longer a reality. Bad actors, foreign and domestic, are finding ways to pass through perimeter defenses -- maybe through a bug that wasn’t fixed, a patch that wasn’t installed or a system that was outdated or misconfigured. Once inside the perimeter, adversaries can explore systems undetected, often for months or even years, stealing secrets, wreaking havoc, spying … the list goes on.

Plus, with so many government employees working remotely during the pandemic, perimeter walls have gotten fuzzy and massively complex. Employees no longer have ready access to their IT departments, nor do they benefit from their usual protections. As such, threats have escalated in number and potential danger. Intruders see big opportunities from even the slightest slip.

Zero trust is the paranoid response. It is the “know the secret knock, show two pieces of ID, use the code word and the special handshake to gain access to specific resources” cousin of perimeter security -- and it is perpetually in force, questioning everything and everyone. This occurs concurrently with security and system hygiene applications running in the background.

It’s not that simple

From this perspective, zero-trust technologies seem to be exactly what the U.S. government needs to protect its most sensitive data and operations. But is anything really ever that easy? Agencies don’t just flip a switch to turn on a zero-trust environment; it requires a major commitment and ongoing administration. Access and privileges are constantly changing and need incessant monitoring. Policies often must be altered to cut off access immediately. It’s an intensive effort.

It can also sink productivity if agencies attempt to implement zero trust at the highest scale. If they don’t though, they might wind up with a piecemeal approach that still contains gaps -- even tiny ones -- that could expose vulnerabilities.

That said, zero trust has been years in the making, only drawing attention now as the associated technologies mature. It is well designed for today’s world. It requires enormous planning to implement effectively and will require constant tweaking, but it has to start somewhere.

To move to zero trust, first and foremost, agencies should expect legacy systems to remain in place for a while, which means they won’t be wasting existing investments.  Then, agencies should review their most sensitive data and workflows to determine what needs greater protection and where they should limit access or manage sessions, starting with classified documents that should require multifactor authentication, privileged access or session management. Everything else can continue under perimeter control until it makes sense to make additional changes. Zero trust can be rolled out gradually.

No zero trust strategy is perfect, and each deployment will evolve as needs are assessed. If an agency enters into zero trust with the right resources and expectations in place, however, it will go a long way to protecting government’s most sensitive assets from assault and exploitation.


About the Author

Ryan Oliaee is senior director for U.S. federal and state government with Adaptiva.

Let's block ads! (Why?)



"can" - Google News
May 04, 2021 at 03:21AM
https://ift.tt/3h2CJfY

Can zero trust really protect government from cyberattacks? - GCN.com
"can" - Google News
https://ift.tt/2NE2i6G
https://ift.tt/3d3vX4n

Bagikan Berita Ini

0 Response to "Can zero trust really protect government from cyberattacks? - GCN.com"

Post a Comment

Powered by Blogger.