With the White House’s release of Executive Order 14028, “Improving the Nation’s Cybersecurity,” the future of safeguarding our technology is no longer ambiguous: something called “zero trust architecture” is going to become the norm. Every government institution is going to adopt it, with clear-cut goals to achieve by 2025. Many private sector organizations are already ahead of the curve, such as Google and Gartner spearheading their own approaches to the Zero Trust cybersecurity philosophy. But what is Zero Trust, and how is it going to change the way businesses and institutions are run now?
Before Zero Trust
Until recently, cybersecurity resembled medieval siege warfare; the formation of a Local Area Network in a physical office was like a fortified European town, with firewalls instead of stone walls and a moat. This “turtleshell” approach focused on preventing breaches from outside the network perimeter, on the assumption that all who were inside the perimeter could be trusted.
The problem with this, of course, is that once the walls are breached, an attacker is able to move about the network more or less freely, stealing and vandalizing all manner of virtual valuables like sensitive data. It’s no surprise that the IT community adopted the term “Trojan Horse” as early as the 1970s in reference to certain security breaches.
This admittedly flawed paradigm for decades has been to keep fortifying the network against attack; building the walls stronger and higher to protect the vulnerable interior as hackers and malware grow more advanced. But perimeters are increasingly falling away just by virtue of the technology itself. Having cloud infrastructure requires internet connectivity; employees are using personal devices to connect; the COVID-19 pandemic made remote connections a requirement; even the Internet of Things is diversifying the network—each of these with their own unique points of vulnerability. A single, uniform fortified wall just isn’t feasible for so complex a network. This is especially a problem considering that in most major cyber-attacks, the point of entry is not the final target of a hacker; to get to the castle, they first find a weak point on the wall.
How does Zero Trust architecture solve the problem?
Zero Trust doesn’t just fortify the outer walls of its town under siege; it fortifies the whole town. This radical paradigm shift operates not on the assumption that breaches will be attempted and must be prevented—although that is still true—but also on the assumption that in spite of anyone’s best efforts, breaches will occur, or perhaps has already occurred, and everything inside the walls must be designed around mitigating the effects of that eventuality.
The credo of Zero Trust is “Never Trust, Always Verify.” That means that the users, devices, and applications that attempt to access any part of the network are always suspect by default. There is no individual user or component that is considered above a possible security breach, and so they have to continuously authenticate over time and as they access different parts of the network. This way, if there is a breach, the hacker is substantially less likely to make it far from their point of entry and gain access to additional sensitive information.
Is Zero Trust architecture new?
No. Computer scientists have been discussing this approach since as early as the 90’s, but it has only come into vogue recently. The level of complexity and the data load that is required to implement it is high, which created a technological threshold that prevented Zero Trust from gaining traction in the industry… until now.
How does one go about implementing Zero Trust architecture?
One important thing to remember is that Zero Trust architecture is a bit of a misnomer. It’s more of a school of thought than a blueprint. With that in mind, implementation is not fast or easy or a one-time thing. It’s an ongoing process that requires comprehensive planning and perpetual maintenance.
Luckily, the goals outlined by Executive Order 14028 are clear and achievable, and they serve as a functional roadmap to building the basics of a Zero Trust Network. There are 5 goals:
1) The integration of single sign-on service (SSO) and multi-factor authentication (MFA) wherever possible.
Multi-factor authentication is increasingly standard across the tech industry, and moreso in government institutions with examples such as Common Access Cards and Personal Identity Verification. A big part of this goal involves privileged access management—given that privileged access opens the way to uniquely sensitive information, methods of authentication need to be especially rigorous for those users.
2) Thorough inventory of users and devices with network access, and development of the ability to detect and respond to incidents on these devices.
You should never not know a device that is accessing your network. But it’s more than just keeping an inventory; it’s understanding how these devices all relate to each other, and where the compromise of one might spill over into others. This dovetails into Goal #5 below.
3) The encryption of all DNS requests and HTTP traffic, and the segmentation of networks around their applications.
Rather than one big wall around the medieval city, network segmentation—also referred to as micro-perimeters—puts walls around each borough in the city, or even each house. Every individual application operates on its own separate network environment. And when those applications communicate to each other, they must also verify each other. Mutual authentication is occurring at an enterprise level, at an individual level, and at a mid-level as a result of this.
4) Treat everything as though it is connected to the internet, even when you think it isn’t. Routinely test all applications and generate external vulnerability reports.
You know it’s official when it becomes government policy: the cloud is here to stay. Assuming internet connectivity will mean you are always prepared for even the most unlikely breach. A device or application with sensitive information is a bit like a gun; you should always assume it is loaded.
5) Monitor, collect, and analyze data about logging and information sharing.
Machine learning and automation can be enormously helpful to devising a rapid incident detection and response. PVM has been incorporating machine learning into solutions for some of our clients for a while now; we know how overwhelming big data can be, and we have found that the benefits of machine learning are difficult to overstate.
Zero Trust architecture sounds rigid and brittle. Should I be worried about that?
No. In fact, Zero Trust architecture requires you to be agile. One big aspect of it is that oftentimes, access permissions are temporary. Employees only need a certain amount of information to complete their work, and they only need that information for a certain amount of time. A Zero Trust framework gives them what they need for as long they need, and nothing more. In order to achieve this, you have to maintain a dynamic “trust-map” which keeps track of where users, devices, and applications are granted access—and, critically, update restrictions to those access points on a routine basis.
High-profile hacks have become so commonplace that they’re a subgenre in the news cycle unto themselves. Information privacy is an increasingly visible commodity in the marketplace. And, of course, cyberwarfare is a likely heated battleground of coming generations. It’s fitting that now, in the Information Age, with Zero Trust architecture, we’re leaving antiquated medieval tactics behind us and moving towards the solutions of the future. The industry is always changing and evolving—but PVM plans to keep evolving with it. Contact us to discuss your organization's cybersecurity needs today.