Zero trust, Governance, Risk and Compliance

Once and for all: think of zero-trust as a concept, not any one product or solution

Today’s columnist, Sandeep Lahane of Deepfence, writes that a runtime SBOM can fulfill the promise of the Biden administration’s cybersecurity executive order. (Credit: Getty Images)

The private and public sectors are under siege as ransomware attacks become more frequent and the groups carrying them out are getting bolder in choosing their targets, often with the objective of upending daily operations for organizations across the private and public sectors alike.

Looking back on this year’s top cyberattacks, it wasn’t until the Colonial Pipeline incident caused major fuel shortages and disruptions that the federal government finally took notice. The result was the Biden administration’s Executive Order (EO). Issued on May 12, the EO aims to strengthen U.S. cyber defense measures, outlining actionable goals and resources to improve the country’s cybersecurity posture while asserting the adoption of a zero-trust architecture.

A recent Senate report found several large federal agencies have failed to implement sufficient data security protocols to date. The report urges Capitol Hill to pursue legislation that would formalize and unify cybersecurity measures across federal infrastructure. Without collective agreement about proper cyber defense protocols at the highest levels of government, it becomes exponentially more challenging to implement informed cyber policy to the entities those agencies oversee, such as schools, banks, and hospitals.

Significant movement towards this mission happened on July 28, when President Biden signed a National Security Memorandum (NSM) geared to protecting critical infrastructure. The NSM essentially addresses cybersecurity for critical infrastructure and implements long overdue efforts to meet the threats our country faces. On top of this, the recent passage and expected signing on Monday of the $1.2 trillion infrastructure promises more funding for cyber on critical infrastructure.

Think of zero-trust as a mindset, not a product

While the NSM and the President’s EO are focused efforts mainly at the federal government level to address these significant threats, securing our critical infrastructure requires a nationwide effort. We’re still a far cry away from implementing what’s needed to protect our public and private sectors. But maybe the answer lies at the center of the EO: Deeper implementation of zero-trust protocols. Moving in that direction may help federal agencies stay better insulated from unauthorized access of sensitive data and insider threats.

We have seen zero-trust has come into the spotlight over the last few years as more businesses seek out solutions to keep their increasingly diffused infrastructure secure. Newcomers tend to overlook that zero-trust is not a security solution or product, but a cybersecurity mindset. There are no boxes to tick off, it’s a journey unique for each organization based on their distinct environments, users, and business objectives. Best to think of zero-trust as an approach to operate and adapt security measures that enforce a mandate of “never trust, always verify” for all users.

While organizations can apply zero-trust across infosec ecosystems, most initiatives initially focus on identity verification and access controls. There are multiple different actions businesses can take to contribute and progress that journey. Security teams will find a single sign-on (SSO) approach very useful in reducing friction as it ensures that they only need to verify users once per session to access anything they are authorized for.

Security teams also use multi-factor authentication (MFA) to enforce adaptive authentication, going beyond using simple usernames and passwords for authentication. Users who act suspiciously, such as trying to access assets outside of their remit, or logging in from previously unknown devices or locations, are challenged by automated systems to verify themselves with MFA. This should only occur when a user has reached the threshold based on a continuously monitored risk score, with no extra steps needed for users who are acting within acceptable bounds.

Strong privileged access controls are also one of the most important elements to ensure the keys to the kingdom are locked down. Enforcing zero-trust depends on  following the principle of least privilege, with users only being able to access data and applications just enough, just-in-time to complete a task. This requires strong implementation policies that limit information sharing and govern user authority. Then those rights must be revoked to ensure there are no standing privileges for cybercriminals to exploit.

Endpoint privilege management combines application control and privilege management to ensure that the organization only runs trusted applications, removing the common issue of arbitrary local admin access. This creates an approach to security far more dynamic than the old static approach of user names and passwords. Security must become adaptive and evolve based on current threats.

Collective effort for the zero-trust journey

As human-error and poor cyber hygiene are the root of most modern breaches, we are constantly reminded of our shared responsibilities and collective efforts for combatting cybersecurity risks. Implementing a zero-trust approach to cybersecurity must be exactly the same – a collective, collaborative and cross-organizational effort.

Organizations cannot successfully implementat a zero-trust security framework solely through the work of an IT department or individual team. Top management must support and drive zero-trust by developing and widely communicating comprehensive execution plans that deeply align and integrate with an organization’s existing and future core strategies.

Organizations must remain crystal clear about who’s responsible for the execution and delivery of each part of a zero-trust framework. Security and non-security focused teams must work together to quickly address and remediate issues raised by each counterpart and have an equal number of goals, milestones and measurable KPIs to hit. The National Cybersecurity Center of Excellence (NCCoE) recently initiated a project in collaboration with a select few organizations to demonstrate several approaches to a zero-trust architecture – designed in accordance with the NIST Special Publication (SP) 800-207, Zero-Trust Architecture -- to help organizations further enhance their zero-trust frameworks.

Wherever an organization may be on their zero-trust journey, collaboration remains critical to its success.

Bill O’Neill, vice president of public sector, ThycoticCentrify

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.