Zero Trust: Shift Back to Need to Know
Cyberattacks on government agencies are unrelenting. Attacks on government, military, and contractors rose by more than 47% in 2021 and can continue to climb. Today’s cybercriminals, threat actors, and state-sponsored hackers have become more sophisticated and continue to target government data and resources.
The recent Executive Order on Improving the Nation’s Cybersecurity directs federal agencies to take decisive action and work with the private sector to improve cybersecurity. The EO puts it bluntly:
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
The Office of Management and Budget (OMB) also issued a memorandum for agencies to improve investigative and remediation capabilities, including:
- Centralizing access and visibility
- More defined logging, log retention, and log management
- Increased information sharing
- Accelerate incident response efforts
- More effective defense of information
In light of continued cyber-attacks, the EO requires bold and significant investments to protect and secure systems and data. This represents a cultural shift from a somewhat relaxed security environment created over time as legacy systems continued to grow and migrate legacy systems to cloud resources.
Security concerns only grew with the rapid shift to remote work. Agencies had to scramble to redefine infrastructure to accommodate remote workers, which significantly increased the attack surface.
For governmental agencies, hardening security requires a return to “need to know” using zero trust security protocols.
Zero Trust Security: What Is It?
Zero trust is a security framework that requires authentication and authorization for all users on the network. Traditionally, networks have focused on security at the edge, managing access points. However, once someone penetrated the security framework, threat actors were able to access additional network resources. As a result, many attackers were able to escalate privileges and escalate the damage they caused.
Zero trust requires users to be re-authorized at every connection to prevent unauthorized and lateral movement for users on the network. This prevents access to resources except for those with a need to know and need to access.
Current Cloud Security Measures Can Fall Short
The rising adoption of cloud services has changed the makeup of most agency infrastructures. Currently, lax cloud security measures can expose organizations to risk and harm and incremental improvements are not keeping pace.
Factors that leave openings for threat actors include:
- Gaps in information technology (IT) expertise and challenges in hiring
- Problems with cloud migration
- Unsecured application programming interfaces (APIs)
- Vulnerabilities in third-party providers
- The complexity of security in multi-cloud and hybrid cloud environments
Zero trust is an important weapon in the battle against cyber threats, yet there has not been universal adoption. The recent Cost of a Data Breach report from the Ponemon Institute reports that only 35% of organizations employ a zero-trust framework as part of the cybersecurity protocols. This leaves agencies and businesses open for attacks.
Besides protecting networks and data, there’s also a significant financial benefit for deploying zero trust. While breaches can still occur even when zero trust is in place, the average cost to mitigate breaches for organizations with a secure zero trust framework was $1.76 million less than those without zero trust deployment.
Zero Trust and the Return to Need to Know
Intelligence agencies have employed the practice of “need to know” for years. Sensitive and confidential data is restricted to only those that have a specific need for access. In cybersecurity, zero trust includes the concept of least privilege, which only allows users access to the information and resources they need to do their job.
Contrast the zero trust with the practice of edge security which is in wide use today. Edge security is like putting a security perimeter around the outside of your home or building. Once inside the perimeter, visitors are free to move from room to room. The principle of least privilege only gives them access to the rooms—and things within each room—if they have a need to know.
With zero trust in place, visitors won’t even be able to see the room unless they are authorized for access.
Building a Zero Trust Architecture
Building a zero-trust architecture requires an understanding of your infrastructure, applications, and users. By mapping your network, you can see how devices and applications connect and pathways where security is needed to prevent unauthorized access.
A zero-trust approach requires organizations to:
- Verify and authenticate every interaction, including user identity, location, device integrity, workload, and data classification
- Use the principle of least privilege using just-in-time and just-enough-access (JIT/JEA) with adaptive risk policies
- Remove implicit trust when devices or applications talk to each other along with instituting robust device access control
- Assume breach and employ micro-segmentation to prevent lateral movement on a need-to-know basis.
- Implement proactive threat prevention, detection, and mitigation
Mitigating Insider Threats
Zero trust also helps mitigates threats from insiders by restricting access to non-authorized resources and logging activity within the network.
When we think about data breaches, we generally think about threat actors from outside our network, but there’s also a significant threat from insiders. The 2021 Data Breach Investigations Report (DBIR) from Verizon suggests that as many as 22% of all data breaches occur from insiders.
According to the Government Accounting Office (GAO), risks to IT systems are increasing, including insider threats from witting and unwitting employees.
Managing Complex Network Environments
As organizations have grown, network environments have become incredibly complex. You need a deep understanding of all of the appliances, applications, devices, public cloud, private cloud, multi-cloud, and on-premises resources and how they are connected.
RedSeal automatically maps your infrastructure and provides a comprehensive, dynamic visualization. With RedSeal, you can identify any exposed resources in the cloud, visualize access across your network, demonstrate network compliance and configuration standards, and prioritize vulnerability for mitigation.
For more information about implementing zero trust for your organization, download the complimentary RedSeal Guide: Tips for Implementing Zero Trust. Learn about the challenges and get insights from the security professionals at RedSeal.