The game is well underway when talking about Zero Trust, NAC and ushering in the new era of cybersecurity
In January, the US Office of Management and Budget (OMB) presented its Federal Zero Trust Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. It focuses primarily on a Zero Trust approach.
Zero Trust assumes that no actor/service/system can be trusted and, therefore, moves the concept of cyber defense from the perimeter to—or closer to—the individual data repository or application. Equally important, Zero Trust increases the breadth and depth of continual verification and evaluation versus the traditional single verification at the network perimeter.
Zero Trust EO OMB cybersecurity objectives must be met by the end of 2024. So why should you care today?
Let’s play ball.
Zero Trust isn’t just an action or process, it’s a mindset; a mindset you need to permeate your entire organization, not just the technical parts. Therein lies the challenge. As Glen Hernandez, Cpt (retired) U.S. Coast Guard, CISO, AFCEA Zero Strategies Trust Sub-committee says, “It is different mindset organizations need to embrace. It’s very different from the castle and moat analogy to protect your organization by digging a deeper moat or building higher a fence. It is really about the organization’s purpose in trying to understand it’s about the organization’s purpose. What was the organization designed to do, and how are you going to protect the crown jewels of that organization in the data and transactions?”
Rather than castle and moat, Zero Trust is like this baseball analogy. When you go to the ballpark, you have a checkpoint at the gate. After passing though the gate, you are free to wander about the stadium. With Zero Trust, you are checked at the checkpoint and every other stop along the way…at the bathroom and concessions, when you take your seat, and when you get up to leave again. Instead of assuming trust after that first checkpoint, you assuming breach at every point along the way. Instead of just getting validated once, you will be validated multiple times.
So how are you supposed to pull that off?
Technology is only part of the Zero Trust answer. Because it is an enterprise-wide collaboration, you need strong leadership to socialize messages, stress importance, define expectations and demonstrate compliance. The buy-in is critical to effectuating a successful process for prioritizing and managing these policies across the enterprise. It is a more critical step than it seems. The entire organization needs to embrace the Zero Trust paradigm every day, in every instance, on every device.
Undoubtedly, the most significant change prescribed by Zero Trust, however, is the depth and frequency of validation of both user identity and the configuration of the endpoint/system accessing the infrastructure. As mentioned earlier, a foundational concept of Zero Trust is that validation moves from a single instance at the perimeter of the network to individual validations at each data source.
With so many employees working remotely, the importance of secure network access control (NAC) has never been higher. As an umbrella of cyber technologies/initiatives, Zero Trust relies on and builds on many traditional cyber best practices and technologies. Good cyber hygiene and a basis for driving it are foundational. First, you need to inventory your apps and tools and look at what you can do better. Then you’ll eventually want to establish a baseline of security. Then you’ll want to maintain it. That is a massive task, that is nearly impossible to do well manually. Here is where automation is vital. And SteelCloud’s automation solution, CongfigOS, can help you develop and maintain that baseline.
Beyond that, you want to pay particular attention to your firewalls, IDS/IPS, anti-virus/malware, two-factor authentication, secure endpoint configurations, and NAC (network access control). Zero Trust also dictates additional capabilities to support its new paradigm and specific changes in the implementation of traditional cyber technologies/best practices.
Get started now. Two years go by faster than you think.
If the Zero Trust journey looks daunting, you are not alone. Keatron Evans, principal security researcher for Infosec Institute, “estimates that only 10% of the agencies are ready to start.” Most of them don’t have the technical expertise or appropriate budgets. Add the complexity of the increasing number of remote and mobile workers, and agility—backed by a plan—has never been more critical. So, stepping into Zero Trust now is very advantageous.
The reality is that you can’t protect everything, so you need to prioritize areas of concern. But if you want to hit a home run with Zero Trust, automation will help you achieve your goals quicker. We can help you create that essential foundation of cyber hygiene and cybersecurity. This is what SteelCloud does best. Let us know if you have any questions about your OMB/EO journey or adopting Zero Trust principles.