Generic filters

To Trust or Not to Trust? The Answer is Both

April 4, 2022

In Cybersecurity partnerships, you have to trust to achieve Zero Trust

Our nation’s computer networks are on high alert. There are credible threats to our cybersecurity. And the Department of Defense urges us to take a Zero Trust posture. But before you can have Zero Trust, you’ll need help identifying and prioritizing your most critical assets.

To accomplish this task, you will need to be a trusted automation partner in STIG & CIS controls because Zero Trust can only be truly effective when it operates on a continually secure baseline. All of this takes a lot of time, expertise, and money, which can be offset through automation.

First, let’s get a handle on Zero Trust.

Zero Trust grants no implicit trust to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Traditional perimeter security models build walls between trusted and untrusted sources. The firewall between your local network and the internet is an example.. Zero Trust models, in contrast, basically posit that bad guys are everywhere, so you should trust no network, no user, and no location when it comes to accessing your data.

A Zero Trust network is built upon five fundamental assertions:

  • The network is always assumed to be hostile
  • External and internal threats exist on the network at all times
  • Network locality is not sufficient for deciding trust in a network
  • Every device, user, and network flow is authenticated and authorized
  • Policies must be dynamic and calculated from as many sources of data as possible

The Zero Trust approach builds in multiple layers of secure access to limit the breadth of any breaches that may occur. Then, with continuous auditing as required by STIGs (Security Technical Implementation Guides), you can spot bad actors before they have a chance to harm.

Now let’s understand Zero Trust’s partnership with STIGs.

A key aspect of Zero Trust involves auditing to ensure that users with allowed log-in access are doing what they are supposed to be doing when they are supposed to be doing it. Before joining the network, they require devices to join the network to have certain cyber hygiene principles in place—such as antivirus software. STIG controls help capture unauthorized access attempts and access, making 24/7 monitoring a must.

This level of auditing helps to deter inside threats, provides knowledge as to who is attempting to gain access, and identifies patterns to enable the tracking down of a malicious source.

In addition to simplifying auditing, STIGs can block hackers at many avenues of approach. For example, the STIGs for firewalls shut down nearly any port that the client does not use regularly. And Operating System STIGs restrict server access to defined users.  They go even further to block access in general by privileged groups, like the domain admins. STIGS also removes guest accounts and asks that users not share logins. All these steps verify who is supposed to have access to the machines and work to keep it that way.

Assembling a trusted team to secure your data.

Combining STIG mandates for perimeter security with a Zero Trust model shuts down access and makes it nearly impossible for bad actors to get in. As Defense Information Systems Agency (DISA) observes, “The intent and focus of Zero Trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity.”

If this all sounds complicated, that’s because it is. SteelCloud’s ConfigOS is your Easy Button, reducing the time and effort of implementing all the controls needed for Zero Trust by 90%. In addition, automating your STIG compliance with ConfigOS can simplify the hardening process at the perimeter, provide 24/7/365 reporting and remediation and help you double down on cybersecurity when using the Zero Trust approach.

When it comes to enforcing cybersecurity, trust no one. When it comes to establishing it, trust the proven power of ConfigOS compliance automation.


Share This Resource: