In Zero Trust, communication is key.
In January of 2022, the US Office of Management and Budget (OMB) presented its Federal Zero Trust Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. It focuses primarily on a Zero Trust approach.
Zero Trust assumes that no actor/service/system can be trusted and, therefore, moves the concept of cyber defense from the perimeter to—or closer to—the individual data repository or application. Equally important, Zero Trust increases the breadth and depth of continual verification and evaluation versus the traditional single verification at the network perimeter.
Zero Trust EO OMB cybersecurity objectives must be met by September 2024. With deadlines looming and a cyber workforce shortage in play, how do you navigate it all?
Let’s play ball.
Zero Trust isn’t just an action or process, it’s a mindset; a mindset you need to permeate your entire organization, not just the technical parts. Therein lies the challenge.
As Glen Hernandez, Cpt (retired) U.S. Coast Guard, CISO, AFCEA Zero Strategies Trust Sub-committee says, “It is a different mindset organizations need to embrace. It’s very different from the castle and moat analogy to protect your organization by digging a deeper moat or building higher a fence. It is really about the organization’s purpose in trying to understand it’s about the organization’s purpose. What was the organization designed to do, and how are you going to protect the crown jewels of that organization in the data and transactions?”
Rather than castle and moat, Zero Trust is like this baseball analogy. When you go to the ballpark, you have a checkpoint at the gate. After passing through the gate, you are free to wander about the stadium. With Zero Trust, you are checked at the checkpoint and every other stop along the way…at the bathroom and concessions, when you take your seat, and when you get up to leave again. Instead of assuming trust after that first checkpoint, you are assuming breach at every point along the way. Instead of just getting validated once, you will be validated multiple times.
Technology is only part of the Zero Trust answer.
Communication is critical to aligning everyone with the mindset. The analogies above illustrate how communication is simplified. Because it’s a mindset and a culture, theoretically, everyone will be on the same page. They will understand the organization’s purpose and intended outcomes in a uniform way. They will all be aligned with the rules, so there’s no wiggle room—trust no one. And, with consistent, simple protocols in place, there is never any doubt.
Because Zero Trust is an enterprise-wide collaboration, you also need strong leadership to socialize messages, stress importance, define expectations and demonstrate compliance. The buy-in is critical to effectuating a successful process for prioritizing and managing these policies across the enterprise. It is a more critical step than it seems. The entire organization needs to embrace the Zero Trust paradigm every day, in every instance, on every device.
So how are you supposed to pull that off?
Undoubtedly, the most significant change prescribed by Zero Trust is the depth and frequency of validation of both user identity and the configuration of the endpoint/system accessing the infrastructure. As mentioned earlier, a foundational concept of Zero Trust is that validation moves from a single instance at the perimeter of the network to individual validations at each data source.
With so many employees working remotely, the importance of secure network access control (NAC) has never been higher. As an umbrella of cyber technologies/initiatives, Zero Trust relies on and builds on many traditional cyber best practices and technologies.
Good cyber hygiene and a basis for driving it are foundational. First, you need to inventory your apps and tools and look at what you can do better. Then you’ll eventually want to establish a baseline of security. Following that, you’ll want to maintain it. It’s a massive task that is nearly impossible to do well manually. Here is where automation is vital, not just to speed your discovery, but also to optimize your people in the midst of a cyber workforce shortage. SteelCloud’s automation solution, ConfigOS, can help you develop and maintain your baseline as well as your experts’ valuable time.
Beyond that, you want to pay particular attention to your firewalls, IDS/IPS, anti-virus/malware, two-factor authentication, secure endpoint configurations, and NAC (network access control). Zero Trust also dictates additional capabilities to support its new paradigm and specific changes in the implementation of traditional cyber technologies/best practices.
Deadlines are looming. The time to start is now.
2024 is approaching faster than you think. Add the complexity of the increasing number of remote and mobile workers, and agility—backed by a plan—has never been more critical. So, stepping into Zero Trust now is very advantageous. Communication is key. Good cyber hygiene is a must. Workforce optimization is vital. And simplifying processes makes everything easier.
The reality is that you can’t protect everything, so you need to prioritize areas of concern. But if you want to hit a home run with Zero Trust, automation will help you achieve your goals quicker. We can help you create that essential foundation of cyber hygiene and cybersecurity. This is what SteelCloud does best. Let us know if you have any questions about your OMB/EO journey or adopting Zero Trust principles.