Zero trust has quickly gained a foothold in the U.S. federal government as the latest and greatest cybersecurity measure. At the start of 2022, the Office of Management and Budget released a memorandum that mandated a federal zero trust architecture strategy and required agencies to meet cybersecurity standards by fiscal year 2024’s close.
Now, as agencies move forward with the cybersecurity approach, officials say zero trust represents an important milestone in viewing cybersecurity more holistically.
Zero trust is not a boxed solution, but rather a “continuous learning” process, according to Steve Faehl, security chief technology officer at Microsoft Federal.
“When it comes to the problems that we’re solving with zero trust, we’re going to keep finding new ones because the adversaries are going to keep introducing them,” said Faehl during a panel discussion at the Potomac Officers Club’s Implementing Proactive Security with Zero Trust Forum.
The zero trust approach was designed to meet the security needs of today’s cyber threat landscape, which is more dangerous and volatile than ever. The hallmark of a zero trust architecture is constant validation, authentication and verification of users, permissions, identities and credentials — a stark contrast to the outdated “castle and moat” security approach.
“Reducing implicit trust, I think, is a never ending project,” Faehl commented.
Although zero trust is viewed as a leading cybersecurity strategy today, the approach is also forcing organizations to take a more realistic look at the possibility of a breach. Considering today’s high cyber attack rate, many officials are thinking not just about if their organization will be compromised, but when.
“We know we inevitably will be breached,” said Alvin “Tony” Plater, chief information security officer for the Department of the Navy. “We are a high risk target, so we’ve envisioned inevitable intrusions.”
By running through possible attack scenarios, the Navy is able to better mitigate the damage done when these breaches actually do occur. Now, Plater shared that the Navy is focusing on limiting lateral movement in the event of a cyber attack and making sure the service can resiliently recover following a breach.
Because zero trust places more protections within an organization’s IT infrastructure versus outside of the perimeter, the responsibility of successfully deploying zero trust falls on the entire workforce — not just the IT department.
“IT environment protection is now everyone’s responsibility,” commented Praveen Kosgi, vice president of technical solutions for NetImpact Strategies.
“Roles are blurry, but segregation of duties is going to be very critical because the authentication authorization is going to be very much a key in this whole process,” he continued.
Kosgi also suggested better tracking for IT landscape resources — “not just what but how they are operating so that we can mature them to the optimal state that gets us closer to zero trust,” he explained.
For example, Kosgi urged that data needs a critical asset tracking protection status so that organizations can better monitor the “who, what, when, why, how and for how long” access components of important information.
Join the Potomac Officers Club for its next event, the 7th Annual Army Summit on Aug. 24 to hear from top federal and industry leaders in person! Seats are filling up fast — click here to register today.