In May, US President Joe Biden’s executive order on cybersecurity marked the launch of an ambitious, in-depth approach to improving the digital defenses of the federal government in the wake of multiple sophisticated attacks on the public and private sector. Biden’s order covered significant ground, including strengthening software supply chain security and implementing data encryption. But what grabbed my attention most was the focus on Zero Trust.
For years, security teams have put their time, effort, and money into maintaining the moat and walls around their digital castles. The days when users had to physically visit the office or use a VPN to access IT resources and corporate data are gone. In the last decade, the workforce has gotten more distributed, more mobile, and more difficult for organizations to manage and secure as cloud adoption has continued to grow.
For forward-thinking organizations, identity must be at the center of security. Many modern breaches involve the use of compromised credentials at some point during the attack. To reduce the risk posed by these incidents, organizations need the ability to verify users’ identities and continuously enforce policies based on the principle of least privilege—and it is here that Zero Trust emerges as a solution.
From buzzword to reality
Talk about Zero Trust being a buzzword is over. The case for Zero Trust has only gotten stronger. The identity of users and devices provides the best basis for access decisions.
Identity Defined Security Alliance (IDSA) research has shown organizations are increasingly recognizing this. In the IDSA’s 2021 Trends in Securing Digital Identities report, 93% of IT security experts felt that Zero Trust is strategic to securing their organizations, and 97% agreed identity is a foundational piece of Zero Trust. Many companies are planning to invest in identity-focused security in the years ahead.
What may challenge those organizations—and the federal agencies working to comply with Biden’s order—is a combination of a lack of understanding about their environment, budgeting the implementation of technologies, and the cybersecurity skills gap. When it comes to Zero Trust, true knowledge of the environment starts with mapping users, access rights, and applications. Taking a look at the identity-focused security outcomes recommended by IDSA, one of the most basic yet mission-critical activities for security and identity professionals to undertake is the discovery and attestation of privileged access rights. This type of visibility is necessary for both network segmentation and multifactor authentication (MFA), which are both key components for enabling a Zero Trust approach.
Part of having a clear view of the environment should also involve classifying critical data and systems. Any sensitive data should be encrypted based on compliance regulations and organizational policies built around the principle of least privilege. Knowing where data lives is also vital, particularly as mobility and cloud access take it away from on-premises environments.
As with all IT initiatives, the cost of implementing security is a factor. But it is important to remember here that a Zero Trust architecture does not have to become a reality all at once. Once the business case for Zero Trust is made and there is executive buy-in, organizations can examine where exactly they are on the road to Zero Trust and what steps to take first. A piecemeal approach may work best. Depending on which identity defined security outcomes have already been implemented, the cost may vary. Legacy components can be replaced as needed. For federal agencies, the calls for change in the executive order have also been accompanied by discussions about increasing the budget for the Technology Modernization Fund as well as the Cybersecurity and Infrastructure Security Agency (CISA).
Less trust, more security
Just like it is in life, trust in IT is a precious commodity. Federal agencies will attract attackers of all kinds, from sophisticated, nation-state threat actors to insider threats. Policing traffic and controlling access to systems and data will likely only continue to grow more complex. It is time for organizations to rethink their security models and adjust to a less-defined perimeter.
Unsurprisingly, the federal agencies that are most impacted by regulations that demand a higher level of cybersecurity monitoring and enforcement will have the shortest distance to travel to comply with the executive order by the deadline. Similarly, organizations that already have to meet the demands of regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) are likely to be much closer to realizing a true Zero Trust environment than others. With its emphasis on access control, Zero Trust is effectively a compliance-enabler for the private and public sectors alike.
As the government pushes its agencies to adopt Zero Trust architectures, it should serve as a reminder that the old days of perimeter-first security are gone. To keep pace with the challenges created by digital transformation, mobility, and remote workforces, organizations need to adapt their strategies to put identity at the center of security.
To learn more about the resources available from the public and private sector, as well as hear from experts who are well down the path to implementing Zero Trust, attend the upcoming LinkedIn Live event, co-hosted by the IDSA, National Cyber Security Alliance and NIST National Cybersecurity Center of Excellence. Register for Making Sense of Zero Trust: Perspectives from Inside and Outside Government Organization.
About the Author: Asaf Lerner is the IAM Market Owner for Thales. He brings over 20 years of swimming in the high IAM seas, serving in different positions in the industry, from R&D management to PKI and Authentication Product Management and various market-facing roles. Located in Austin, TX, Asaf is in charge of the IAM solutions market for the Americas at Thales Cloud Protection & Licensing (formerly Gemalto/SafeNet). Under his responsibility is creating market awareness of Thales’s IAM solutions, enhancing market partnerships, and creating healthy channel workstreams. He likes long-distance running and thinks he’s good at Ping Pong.