“Trust no one” used to be a rallying cry for X-Files TV show fans. Now it’s part of the US federal government zero-trust architecture, a new cybersecurity standard laid out in January.
“The foundational tenet of the zero-trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted,” according to a Department of Defense Zero Trust Reference Architecture document. The truth is, zero trust has been around for more than a decade. But what does it mean today, and should companies follow the government’s lead?
According to the concept of zero trust, all access is untrusted no matter its origin. When first introduced, zero-trust principles were directed toward network perimeter security, but they were quickly expanded to include cloud and mobility. More recently, the “seven pillars of the ZTX Zero-Trust model” emerged to subsume data, people, networks, devices, and workloads. The final two pillars -- visibility and analytics -- have driven enterprises to introduce automation and orchestration to produce actionable intelligence and, ultimately, situational awareness. In some respects, the quest for zero trust has progressed dramatically. However, many confidential sources still go unaddressed, in the realm of DevOps, for instance. Advances in security orchestration, automation, and response (SOAR) will produce a 360-degree view of vulnerabilities and help zero-trust policies to become more pervasive.
The reality is that the current geopolitical situation has placed our federal government’s infrastructure, networks, and data at greater risk from state-level actors. This order is a necessary first step toward improving the government's defense against global cyber threats. The strength of zero trust is that it starts with data origination, which ensures that all the applications and systems are safe from their inception.
Zero Trust Relevance to Private Sector
Zero trust is as relevant for private enterprises as it is for the federal government. In many organizations today, users in any department can download any application and use it without consequences. That application can create security holes that escape the scrutiny of IT/InfoSec and, worst case, it will expose data to malicious users. Adopting a zero-trust architecture can protect businesses from this type of scenario, especially since governance policies in any given enterprise may be weak. In many ways, zero trust gets us closer to a single “universal policy.”
By removing the “trust” requirement from access policy, zero trust will eliminate the “back doors” introduced by many current applications. Of course, the highest level of zero trust comes with the removal of the technical means by which unauthorized users access confidential information. Organizations with the strictest requirements will strive for this standard.
The federal government could even take it another step forward. We recommend creating a Cybersecurity & Infrastructure Security Agency (CISA) or Joint Authorization Board (JAB) covering Department of Homeland Security, General Services Administration (GSA), Department of Defense and other government agencies to push the boundaries even further. A zero-trust certification for vendors could make it easier for agencies to certify their solutions as per the government norms. Vendors should be required to benchmark the time and effort taken by customers to adopt zero-trust maturity models using their solutions. This will help agencies select the right solution among multiple zero-trust certified solutions.
In the end, zero trust comes down to helping the US government eliminate unauthorized access. The federal zero-trust initiative requires agencies to meet specific cybersecurity standards and objectives by the end of the fiscal year 2024 in order to reinforce the government’s defense against increasingly sophisticated and persistent threat campaigns. Let’s unite in pursuing a common zero-trust goal to help raise overall security standards that protect our government.