No, this approach wouldn’t have saved the Titanic, but that doesn’t mean you didn’t miss lots of Titanic references in yesterday’s online training, Zero Trust: The Next Generation Security Architecture for Government. Not the ones that crack at the part where Rose and Jack float away on the raft, but the ones “where bulkheads were supposed to prevent one leak from sinking the ship, but the walls weren’t high enough,” according to Officer James Clapper.
Expert panelists Mitch Herckis, Director of Government Affairs at the National Association of State Chief Information Officers (NASCIO) and Stephen Power, Networking and Security Specialist of VMware’s Federal Civilian division discussed the current state of cybersecurity at the state and local level, the current challenges of limiting the damages of (inevitable) breaches and how employing a Zero Trust strategy can keep your agency more secure than your current infrastructure.
Government’s data makes it an attractive target. So when there are several individuals making decisions about how to go about securing the network and what to prioritize, emerging IT and data on the move, and inadequate communication of risks, you can pretty much assume there will be a data breach.
Herckis listed the reported causes of government data breaches, number one being unintended disclosure. Something simple as someone leaving their laptop, accidently attaching their password to emails, or allowing someone else access to files could take up to two months between discovery and disclosure, a gap that government cannot afford, costing them on average $194 per lost or breached record, and an average total of $8.4 million. So who’s responsible? Everyone. From the CIO to Agency Leaders to Third Party Contractors, everyone is responsible for protecting data. Check boxes or compliance isn’t enough. An investment in a risk management approach is the key here and the 2014 Deloitte-NASCIO Cybersecurity Study offers suggestions to such approach.
Key Themes from the 2014 Study include:
- Maturing role of the CISO (gain visibility and authority)
- Budget-strategy disconnect (strategies and metrics are not in place to help point dollars to the right direction, or to define a new line item)
- Cyber complexity challenge (continuous monitoring and early detection)
- Talent crisis (Information Security employees are in extreme demand – retirees, long hiring process, lack of define qualifications or career paths)
Herckis left us with the question of how do we take this environment – evolving technology and rapidly escalating cyber threats – and tackle it with a holistic strategy? The answer: Zero Trust approach.
According to a recent Govloop survey 86% of respondents said security was “very important” to their agency. This is not surprising. What is surprising is that nearly 80% of survey takers had barely heard of the Zero Trust approach. Our training aimed at providing a clearer understanding of what the approach is and why it is necessary for government.
Unbreakable, unsinkable. Like the Titanic of the 21st century, “compartmentalization would have limited the impact of every modern cyber security breach,” according to Power. With the traditional approach – thousands of system and only three zones – attacks spread inside the data center, where internal controls are often weak. With the new approach – thousands of systems and thousands of zones – security is increased behind perimeter firewalls that are built into the server.
Simply put, what the Zero Trust approach does is create a security policy and architecture that trusts no one, and makes the assumption that security defenses will ultimately be breached. A Zero Trust approach allows public sector entities to make their cybersecurity posture far more resilient, limit the damage of any breaches, while giving better success rates for protecting citizen data.
Zero Trust, or as VMware refers to it, micro-segmentation, enables security that focuses around the following key entities:
- Isolation and segmentation
- Unit-level trust/least privilege
- Ubiquity and centralized control
With the Zero Trust model, agencies can start to visualize where cybersecurity is today and what methods are needed to compartmentalize them. When you think of the walls within a data center as a unit – or a room like in the Titanic – building compartments down to every system ships data off safely and limits breaches.
To learn more about this new approach to cybersecurity, view the on-demand version of the training here.
Very informative/useful.
I find it somewhat disingenous to call it “Zero Trust” when part of the Zero Trust Framework structure is central management from a single console. Can the console control the structure without there being trust that this single console has not been hijacked?