The days of a traditional cybersecurity approach are gone. You can’t simply defend your network perimeter and assume everything inside is safe.
With cybersecurity threats, business models, and workforce dynamics evolving, granting users or devices broad privileges and trusting that they haven't been compromised isn’t sufficient anymore.
Applying the principle of “never trust, always verify” is gaining more traction every day. In a Zero Trust framework, trust is never assumed — all entities are treated as if they’re already compromised. In the past, if an asset was inside the network, it was assumed trustworthy. The opposite was true for anything emanating from the internet. Today, a more risk-driven and context-aware approach is necessary to strengthen your security posture and limit your attack surface. And that’s the foundation of Zero Trust.
Zero Trust and the federal government
The push for Zero Trust is moving beyond private enterprise. It’s now a mandate for federal agencies.
As part of President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity, the federal government is focusing on actions that modernize its approach to cybersecurity. And Zero Trust is a major component. Specifically, the executive order directs federal agencies to develop and implement plans to adopt Zero Trust principles by September 2024.
Along with the executive order, the National Institute of Standards and Technology (NIST) Special Publication 800-207 and the National Security Agency’s (NSA’s) “Advancing Zero Trust Maturity throughout the User Pillar” Cybersecurity Information Sheet are some of the other initiatives playing a part in the government’s Zero Trust cybersecurity guidance.
The Cybersecurity and Infrastructure Security Agency (CISA) also recently updated its roadmap to help the U.S. Department of Commerce and other federal civilian agencies make the transition to Zero Trust. In its Zero Trust Maturity Model Version 2, CISA added the initial phase to the stages of maturity to reflect that agencies are starting their journey to Zero Trust from different starting points. The four stages of maturity are now: traditional, initial, advanced, and optimal.
The Zero Trust Maturity Model consists of five pillars: identity, devices, network, data, and applications and workloads. Version 2 “provides a gradient of implementation across the five distinct pillars to facilitate implementation”, so agencies can make minor advancements over time as they transition to a Zero Trust architecture.
The tech that’s integral to Zero Trust
Implementing Zero Trust requires various security measures. But where do you start? By first answering some key questions:
- What is the device that’s trying to access corporate assets?
- Is the core software up-to-date?
- What vulnerabilities exist on the device?
- Is the device managed?
- Which user is logged in?
- Does the user have access?
Now that the key questions have been asked, let’s explore some of the technology that can help you get to a Zero Trust architecture.
- Active Directory (AD): Helps us understand users, user roles, user permissions, and the devices they’re using. AD also clarifies how each entity fits in the organizational policy.
- Endpoint protection: Many companies have policies with endpoint protection agents being put on every possible endpoint, giving the organization visibility into the security state of desktops, laptops, mobile devices, and other hardware.
- Vulnerability assessment: Helps organizations implement multi-factor, passwordless, or other forms of enhanced authentication for added security control and convenience.
- Mobile device management: Can be used to automatically grant and revoke access at any time (without needing physical access) to an employee’s personal devices.
- Cybersecurity asset management: Provides a comprehensive view into all assets and users to see the security coverage for each. Doing so, you can automatically aggregate and correlate asset data into a single, actionable view.
We take a deeper dive into how Zero Trust evolved, what it takes to implement Zero Trust, what are the necessary steps to help you get on the path, and more in our ebook.
Download the ebook, “The First Step to Zero Trust: Building a Strong Cybersecurity Foundation”, now.