Zero Trust: How to adapt accordingly with secure and compliant baselines using automation
January’s OMB Memorandum detailing the White House Executive Order on Zero Trust has government and defense industrial base (DIB) organizations talking. In last week’s Tech Talk Tuesday, we shared some basics of Zero Trust, including a refresher on network access control (NAC) registries.
Now let’s drill down a little deeper. Before you can implement a Zero Trust approach, you will want to build a foundation of secure and compliant baselines. A STIG, CIS, or CMMC compliant baseline offers a hardened base to build a successful Zero Trust posture.
Changes to how you validate users and systems.
The most significant cybersecurity change prescribed by Zero Trust is the frequency and depth of validation of both user identity and configuration of the endpoint/system accessing the infrastructure. Zero Trust’s foundational concept is that validation moves from a single instance at the network’ perimeter to individual validations at each data source.
Before the initiation of Zero Trust, an organization might only remediate their infrastructures quarterly and validate compliance monthly. Now, configurations may be validated multiple times per day, including at patch and configuration levels. These system validations will include both patch levels and policy configurations
Security is no longer as simple as protecting the perimeter.
Establishing Zero Trust goes beyond protecting your perimeter. You also need to put a metal detector at the entrance, secure the locker room, and provide continual surveillance. Also, Zero Trust is not a one-size-fits-all approach. Instead, it is tailored to the agency, systems, and users.
But one thread is common to all solutions. As Aaron Faulkner, cybersecurity lead at Accenture Federal Services, states, “As federal information technology architecture is modernized, a holistic endpoint detection and response approach, executed correctly, will be critical for CISA to rapidly understand the government’s overall risk posture and mitigate vulnerabilities.”
Once your endpoints are in compliance, how do you keep them there?
Using established STIG and CIS benchmarks as your guide, you can be sure of creating secure configurations, mitigating vulnerabilities, and building more robust security. Checklists are in place to ensure nothing gets overlooked. And best of all, lower-level controls and documentation processes can be automated, giving organizations a simplified way to prevent exploitation of system vulnerabilities.
Automated scanning and remediation means endpoints will be in continuous compliance, preventing drift, eliminating the need to schedule separate remediation or scanning activities, and maintaining a secure and compliant baseline. It’s like having a V-8! In addition, detailed security configuration information is available for validation by NAC at the endpoint, eliminating the need to drill back into some central repository for information. When considering the millions of endpoints within the DoD alone, that will have to be validated—most probably multiple times per day—this approach is infinitely scalable and less fragile than other approaches.
A simple solution exists to help you establish Zero Trust.
Creating a secure and compliant baseline, adopting Zero Trust principles, and complying with the Zero Trust EO/OMB can be relatively simple and affordable, or it can be an undertaking that hobbles your organization. Automation makes the difference. The same automation technology utilized to keep endpoints continuously in compliance is also used for simple, scalable Zero Trust validation. In just a few hours, you can scan your entire environment, implement controls, detect conflicts, remediate conflicts, and document waivers—activities it could take weeks or months to do manually.
The government’s Cybersecurity Executive Orders 2022 set the expectation that you will adopt specific standards and security practices on Zero Trust by the fiscal year 2024. As you can probably tell, you will have to keep multiple balls up in the air to make this happen. However, we can help you take steps to set your security to 11 and your trust to 0.