With an increasing number of cyberattacks, organizations are taking a more proactive approach to realize “zero trust.”
The Pentagon recently announced a new zero-trust strategy that is expected to be revealed in the coming days. The plan will expand upon the Pentagon’s current approach to realizing zero trust with the goal to keep critical data secure by incorporating over a hundred activities and pillars including application, automation, and analytics.
As cybercapabilities continue to improve and evolve, officials are eager to construct a full-proof infrastructure. Officials have set a five-year deadline to implement zero-trust solutions.
End users have already established a strong reliance on sourcing the capabilities of zero trust. However, the executive order has found holes within modern-day solutions. As a result, the DoD wants to architect a zero-trust strategy that bears the full scope of its authority and resources to ensure the protection and security of national assets.
Using the DoD’s zero-trust strategy as a framework, organizations can begin building out a zero-trust architecture with the following tips:
Integrate Zero Trust Policies with API Security
“The shortcoming in the current government strategies and directives related to Zero Trust is a complete absence of consideration for the applications that ride on the cloud and data center infrastructure that gets the majority of the ZT attention,” shares Richard Bird, CSO of Traceable AI.
“In order to achieve Zero Trust, application security and API security can’t be left out of the equation. Zero Trust without API security is simply, not Zero Trust. If energy, dollars and effort to apply Zero Trust is entirely focused on the infrastructure and OS components of cloud, data center or hybrid deployment patterns the bad actors will simply move their efforts to the attack surface that isn’t conditioned to Zero Trust. In every organization and agency on the planet, that attack surface is APIs and the applications they interact with.”
The last several months of exploits and breaches around the world clearly show that the US government, while on the right track in driving organizations and agencies to move to the Zero Trust framework, is missing substantial direction to those same organizations as it relates to applications and APIs. The framework today overly relies on notions such as privileged access management to achieve some semblance of Zero Trust type control for applications, but this approach has proven to be woefully inadequate for user populations outside of the technology workers who access those applications.”
Protect against Diminishing Perimeters
Zero trust architectures are built on the premise that there is no secure perimeter. All events and connections have the potential to be considered untrustworthy or malice. By building zero-trust architectures, organizations can reduce vulnerabilities associated with high-risk environments and promote a more secure and trustworthy network.
Arti Raman, founder, and CEO of Titaniam agrees that with the evolving nature of the cyber attack surface, it becomes imperative for organizations to build guardrails as preventable measures. She shares; “In the last 18 months, we have witnessed 4,000 cyberattacks across the world. Despite all the investment that has gone into cybersecurity globally, it is clear that our toolset is not yet complete. With more and more companies moving towards data-driven processes, the volume of personally identifiable information (PII) ingested and processed by companies is growing exponentially.”
Organizations are consuming massive amounts of personal data that is directly tied to everyday people, and they’re often utilizing cloud-based services to help store them. This poses additional security concerns. When the data involved is government data, security concerns become even larger. The Biden administration recognized this need and as a response last year, we saw the administration’s Executive Order on Improving the Nation’s Cybersecurity. More recently, we saw the White House hosting its 2nd International Counter Ransomware Summit, where top national and global officials and representatives from some of the largest technology companies came together to discuss the next steps.
While cybersecurity is a complex issue, a direct route to solving malicious attacks is to create strong guardrails around our sensitive data. Most often, sensitive data compromise comes from cybercriminals using privileged credentials to access data repositories. Unfortunately, in such scenarios, traditional methods of data security such as encryption-at-rest fail to prevent data compromise because these controls cannot distinguish legitimate users from attackers with stolen credentials. One of the most effective solutions to eliminate data compromise and implement true zero trust for data is encryption-in-use or data-in-use encryption. We recommend U.S. businesses and government agencies consider data-in-use encryption because data and IP are encrypted and protected even when it is being actively utilized, neutralizing all possible data-related leverage that attackers could gain, and limiting the blast radius of cyberattacks. Encryption-in-use is one of the strongest and most effective guardrails that can be implemented toward zero-trust data security.”
In addition, with the rise of remote and hybrid working environments, the need for Zero trust architecture and networks is exponentially increasing.
“With the rise of remote and hybrid working, the traditional perimeter as we know it is gone. That is why Zero Trust Architecture and networks are so important for a company’s cybersecurity strategy;” says Justin McCarthy, Co-Founder and CTO of Strong DM.
At its essence, Zero Trust helps reduce security breaches by removing implicit trust from your system’s architecture. Unlike traditional security, with Zero Trust, each access point must be validated before a user is trusted and given access within the network.
Zero Trust security believes that a breach will inevitably occur in addition to acknowledging that threats exist both inside and outside of the network. Because of this, it continuously scans for malicious behavior and restricts user access to what is necessary to complete the task. In addition, users (including potential bad actors) are prevented from navigating the network laterally and accessing any unrestricted data.
Some may say that Zero Trust will hinder productivity, which could be the case if backend management processes and governance operations are granted manually. But it’s the opposite if you have the right tools to make it easy to grant access and audit access control. The result of Zero Trust architecture, especially when it comes to improving the nation’s cybersecurity is higher overall levels of security, easy accessibility and reduced operational overhead.”
Increase Visibility of Identity Management
Compromises can come at any point within the digital ecosystem. The key to defending critical assets is not placing inherent trust in perimeter security.
Jeannie Warner, director of product marketing at Exabeam shares; “Last year, the White House’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” recognized the need to adopt zero-trust models across federal agencies. I am excited to see our national administration continue to acknowledge the sophistication of the threat landscape and implement this new zero-trust strategy that bears the full scope of the Department of Defense (DoD)’s authority and resources in protecting and securing our data environment.
A compromise could come at any point within the ecosystem, and more often than not it will come from an adversary using valid credentials. It’s clear that “watching the watchers” in security terms is important. This is where Threat Detection, Investigation, and Response (TDIR) capabilities should be focused, and why any security operations team needs to consider having visibility of their identity management, security log management, and other threat detection tools across their on-premises and cloud attack surfaces.”
Gal Helemski, CTO/CPO PlainID agrees that organizations should aim to increase the visibility of identity management by integrating authorization technology within its zero-trust architecture. Integrating authorizations ensures users accessing a system are who they claim to be and determines which individuals are authorized to be. Ultimately, providing an extra layer of security.
“Seeing the Pentagon reinforce their security strategy is a positive sign. The government holds the most sensitive data out there, and in today’s world, you cannot put your trust in any static, perimeter-based security system. Every single data access needs to be assessed in real-time with a specific context of who is accessing what data, from where, and how. This will massively improve the cybersecurity capabilities of these three federal agencies.
Everyone must realize, the key to defending an organization from future cyberattacks is protecting the data and the applications, by ensuring that even if a bad actor (which can be a federal employee sometimes) has gained access credentials, they don’t have automatic access to any or all data. To quote from the memorandum “Authorization, a critical aspect of zero trust architecture is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorization determines what that user has permission to do.”
Let’s face it, zero-trust is the only way to secure a modern, decentralized enterprise, in which data and applications are accessed from anywhere by employees, customers and partners.”