Zero trust continues to be a top-of-mind topic for those responsible for security. Recently, the US government has issued an executive order pushing zero trust concepts. My buddy Aamir Lakahni posted about this on his blog. That post can be found HERE. Here is Aamir’s thoughts on this new executive order. ….
The modern world and its digital infrastructure remain at high risk of cyberthreats. The U.S. Department of Homeland Security has identified several areas of particular importance when it comes to hardening national infrastructure against bad actors. These include transportation, election security, industrial control systems and workforce security.
Zero-trust architecture is an important part of this bulwark. The Biden administration’s recent executive order (EO) on zero-trust security and bolstering the nation’s cyber-readiness demonstrates that this is a top priority for modern civil servants.
What Is Zero Trust?
The primary goal of zero-trust network security infrastructure is to recognize that threats come from within and without an organization. The assumption that any specific node, application or digital product is secure can put an entire framework at risk.
These are the fundamental tenets and assumptions of zero-risk cybersecurity:
● Zero trust includes real-time, continuous identity verification for all parties and products connected to a network.
● Zero trust limits network vulnerability by awarding access of sensitive digital assets to only the parties that need them.
● Zero trust assumes a hack will occur. Cyberattack statistics rose in 2021 to 1,862 breaches.
The Biden administration issued its executive order in May 2021 to lay out a series of steps federal operators must take by 2024 to harden their cyber defenses.
Precedent-Setting at the Federal Level
The best governments provide an example worth emulating and best practices worth adopting. By naming zero-trust security architecture a federal priority, the Biden administration intends to outline a series of steps that state, local and private entities can take to harden their digital infrastructure against cyberattacks.
Some of the largest private companies and public infrastructure systems recently revealed themselves as particularly vulnerable to domestic and foreign interference. The resilience of a nation’s physical infrastructure and the sovereignty of its elections have never seen a slate of risks quite like what the world now must contend with.
What Zero-Trust Security Looks Like
The Biden administration’s EO should help raise the bar for cybersecurity literacy among public and private entities. The main components of zero-trust security include monitoring data flow and engaging in continuous vetting for identities, application and network activity. Here’s what that looks like in practice.
Identifying Vulnerabilities
The administration’s EO names identifying vulnerabilities within a network as one of the chief tenets of zero-trust security. Specifically, the EO names SaaS (software as a service), infrastructure as a service (IaaS) and platforms as a service (PaaS) as especially vulnerable to exploitation.
Governments at every level have busied themselves for several years adopting digital infrastructure to provide modern services and compete with the private sector. However, the intersections of public and private infrastructure – especially where transportation and health care data are concerned – are especially vulnerable to outside attack.
Some 12% of all data theft comes from within the health care sector. Still, attacks on other essential entities, like meat-packaging plants and energy infrastructure, are quickly catching up and raising concern.
Creating New Standards
The technology industry is fragmented. Unfettered competition without oversight has resulted in a significant number of proprietary software systems and approaches to cybersecurity. Given how tightly interwoven the public and private sectors have become thanks to digital transformation, this precedent cannot stand for much longer.
The Biden administration’s executive order stresses the importance of cooperation and collaboration in this arena. It requires federal entities to use the latest emerging standards from the National Institute of Standards and Technology (NIST) and the Department of Commerce and to draw up a schedule for implementation.
SP 800-207 is one of the latest additions to NIST’s zero-trust documentation. It provides a framework for organizations to identify opportunities and lay out a practical roadmap for cybersecurity improvement.
Protecting the Public and Leading by Example
The primary functions of the Biden administration’s EO on zero-trust cybersecurity are twofold: raise consciousness about the vulnerability of modern digital systems and lead by example so other organizations have a path to follow.
Cybercrime can be an indistinct concept to reckon with until the human cost is made clear. Criminals steal data valued at $6 trillion every year. If these ill-gotten gains were a country’s GDP, it would rank third after the United States and China.
Significant events often result in human migration and other bureaucratic challenges, increasing the demand for zero-trust standards. In the U.S., where ICE and other groups carry out deportations for undocumented individuals, having a national digital infrastructure that is above reproach and immune to tampering can even be a matter of national security.
The EO on zero-trust security represents the Biden administration throwing down the gauntlet and preparing to wage a real and decisive war against would-be hackers.