How zero trust solves the 'weakest link' problem

By Gus Hunt

By Gus Hunt

|

Many government agencies currently have components of zero trust already in their infrastructure, including identity credential and access management and continuous monitoring, so moving to a comprehensive zero trust model would just strengthen what is already there.

To make zero trust successful, federal agencies should take an incremental approach to implementation. First, identify a key mission partner to be the initial stakeholder. Analyze and understand that mission's activities. Identify their data and application requirements and map their data flows. Second, conduct a gap analysis of the existing cyber security infrastructure to identify missing zero trust components. Third, develop an implementation road map, starting with the identified mission partner, but with a plan to extend to the whole agency. Finally, socialize a zero trust mindset. As always, change management thrives with active communication and stakeholder engagement.
zero trust network
 

Our ability to both defend against and recover from cyberattacks is improving globally and across the federal government. However, adversaries are moving aggressively to attack us through different means.

That is the topline finding from the Third Annual State of Federal Cyber Resilience Report. Our global sample shows the number of direct cyberattacks and breaches both declined year-over-year with successful attacks dropping 27%. Within the federal government, security breaches dropped 43% despite facing an increase in the number of targeted attacks.

What's more, our research found there is a group of standout organizations that appear to have cracked the cybersecurity code for effective outcomes through innovation. Detailed modeling of cybersecurity performance has identified an elite group — 17% of the global respondents and 28% of federal respondents — that achieve significantly higher levels of performance compared to the rest. Specifically, they were four times better at stopping attacks and finding breaches, three times better at fixing breaches and two times better at reducing the impact of breaches. As a result, they were able to reduce the average cost of resolving security breach from $380,000 to $107,000.

That's the upside. What's concerning is the adversaries are adapting and increasingly focusing their attacks via indirect channels through third parties and supply chains. As federal leaders harden their cyber security postures, the enemy is moving to the take advantage of the weakest link.

The new threat

Given that federal leaders have done a good job managing the threat against their core systems and networks, the evolving cyber threat is exposing vulnerabilities in these outside networks, which are often the least resilient to withstand a cyberattack. Specifically, our research found that 45% of reported federal breaches and 40% globally came from indirect channels. These critical third parties include contractors, suppliers, state and local governments, research institutions and universities, and other non-governmental organizations.

Furthermore, with the rapid shift to teleworking due to the COVID-19 pandemic, another front has opened, which are the millions of federal workers now working from home. Their home network environments are most likely less secure and more exposed than well-protected agency networks.

Federal leaders recognize this threat with 85% of federal respondents (and 83% globally) agreeing that their organizations need to think beyond securing their enterprises and take steps to secure their ecosystems to be effective. And Zero trust is one way that federal organizations can more effectively deal with the third-party threat.

Enter zero trust

Zero trust addresses these uncertain times we're in by leaving nothing to chance. With Zero trust networks, the perimeter moves from the traditional firewall perimeter closer to where the data resides, on cell phones and other digital devices connected to federal networks. The new, cloud-based reality requires a remote-access approach that uses micro-segmentation to bolster protections and improve visibility. Zero trust not only monitors an organization's total digital assets, but also considers the people who attempt to connect to those assets and the processes for them to do so.

Zero trust is an innovative, agile security strategy and architecture design methodology, backed by the National Institute of Standards and Technology (NIST), that increases security on networking architectures by assuming the worst-case scenario -- that everyone is a potential threat -- independent of whether they have log-in credentials or are unknown and scoping another way into mission-critical systems. Under zero trust, networks users are continuously authenticated. It's not one product or platform, but rather a modernized cybersecurity architecture that combines security technologies that work in harmony to significantly boost an organization's cybersecurity posture and reduce risks.

The security methodology achieves this by grouping users, devices, data and services in separate categories inside of a trust framework. Zero trust elevates a traditional security posture from one that makes all of an organization's assets available to the workforce to one that implements a continuous authentication and authorization process for workers or contractors to gain access to a particular digital asset.

Essentially, a zero trust environment restricts what employees, contractors or other third parties can do and touch. It limits the potential damage an insider or outsider can cause by segmenting their accesses to only those assets that are allowed by their credentials and permissions to accomplish their jobs.

Zero trust doesn't require federal agencies to replace their existing networks or acquire a ton of new technologies. In fact, it works as effectively when it augments other cybersecurity tools and strategies. Along this vein, many government agencies currently have components of zero trust already in their infrastructure, including identity credential and access management (ICAM) and continuous monitoring, so moving to a comprehensive zero trust model would just strengthen what is already there. On top of this, NIST recently released new zero-trust architecture guidance, which is intended to provide a "road map to migrate and deploy zero trust security concepts to an enterprise environment."

But, it's not just about technology. Implementing zero trust requires agencies to establish clear policies, procedures, and processes. For example, an executive-level data governance board comprised of mission, IT, and cybersecurity leadership is essential to decide and enforce data security and access control rules for the enterprise.

When zero trust development is coordinated with the mission, it becomes transparent to the users. It functions under the covers ensuring that the users have seamless access to the data and applications they need to do their jobs. Done well, it becomes a mission enabler as well as a security enhancer. As agencies mature their zero trust capabilities and artificial intelligence algorithms increasingly make automated access decisions, the partnership with the mission/business side will be even more essential in setting up the policies and rules that drive smart access to different data.

The way ahead

Zero trust can help agencies achieve the goal of cyber resilience. However, implementing zero trust is not something that can be just handled by an agency's technologists. With so much at stake, rolling out the model will require buy in and coordination from leadership and stakeholders across the organization.

NEXT STORY: Voice phishing attacks on the rise, CISA, FBI warn

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.