The fact that technology has advanced by leaps and bounds remains indisputable. However, the best way to govern data and protect systems is subjective. However, a new approach could significantly change the way agencies think about security for the better by establishing a design concept around security.
The new approach, zero trust, is a security idea centered on the principle that organizations must control how people, data and information systems interact to reduce security risks and improve the way systems function.
Zero trust treats all users, devices, data and service requests the same and requires continuous authentication and authorization to allow accessibility to any asset. Zero trust is not a purchasable product; rather, it is a concept to help organizations structure their security strategy. It provides better security within an existing organizational framework for better data protection.
The American Council for Technology-Industry Advisory Council (ACT-IAC) was tasked by the Federal CIO Council with assessing the maturity, readiness, and suitability of zero trust technologies in terms of their potential use in government. The report, titled “Zero Trust Cybersecurity Current Trends,” was released on April 18.
ACT-IAC found that zero trust solutions were already in use in the private sector, and there were competitors and partners using the technology. There is not a single, holistic zero trust solution offered right now from just one vendor, according to the report. A multi-vendor strategy would be necessary to develop a thorough solution. However, many companies have partnered together to offer comprehensive services.
Zero trust is built on six key pillars, and some agencies may already have tools and components in place that they can leverage. The first pillar is the user. Continuous authentication of trusted users in order to monitor their access and privileges through the use of technologies like Identity, Credential and Access Management (ICAM) and multi-factor authentication is crucial to the success of zero trust.
The second pillar is the device or evaluating the cybersecurity posture and trustworthiness of devices. The third pillar is the network, or network security, which must be controlled as agencies grow. Segmenting, isolating, and controlling the network is crucial for security.
The fourth pillar is applications or managing the application layer to lead to better access decisions. Multi-factor authentication is an important part of efficient access control in zero trust environments.
The fifth pillar is automation, or security automation response tools that speed up workflows while also allowing for oversight. The sixth, and last, pillar is analytics and security visibility. You have to see and understand threats in order to combat them. Analyzing cyber-related events can help with the development of proactive — instead of reactive — security measures.
A well-known example of zero trust implementation is Google’s “BeyondCorp” model, which is a security framework that moves access controls from the perimeter to individual devices and users. Google used original zero trust principles to build BeyondCorp, mainly the principle that traditional security is insufficient when it comes to protecting internal networks and data. Google also supports the growth of the cloud, so that was incorporated into its strategy. BeyondCorp’s zero trust approach involves the principle that the network you connect from must not determine what services you have access to. Instead, access is granted based on the information the company has about you and your device. All access has to be authenticated, authorized and encrypted.
Each component of BeyondCorp can be mapped to a zero trust pillar. One component is single sign-on, which allows one user to access more than one independent, but related, software system. Many components are delivered by Google Integrated Access Proxy, as part of the Google Cloud Platform.
Instead of asking “how do we determine how trustworthy something is?” Zero trust principles ask, “how do we gain sufficient trust?” This is a shift to innate distrust, an assumption that all data and transactions are untrusted from the start. The “never trust, always verify” approach leads to greater visibility over what is happening over the network. Protecting data within a network is another benefit of zero trust, as well as better overall protection over existing and evolving threats.
For more information about zero trust, including a phased approach to implementation, access the full report here.