With so many high-profile hacks this year, it's easy to want to throw up your hands and say, "Is there nothing that can be trusted?!" Interestingly, that lament is what is driving the latest approach to cybersecurity -- zero trust. Zero trust is what it sounds like, a security approach centered on the belief that organizations should not automatically trust anything accessing their systems either inside or outside their perimeters. Instead, all people and devices must be verified before access is granted. To the untrained eye, this seems untenable. How, in this day and age, when we depend on digital information and connection to do most anything, can we use a process where we have to constantly verify identity and access permissions? Luckily, the practice of zero trust is more sophisticated than its premise.
Remote work due to the pandemic pushed many organizations to implement zero trust practices sooner than planned. A zero trust approach allows employee credentials to be securely used from multiple devices, not just agency issued ones. This allows individuals to log in and do work from any location regardless of if they have the "approved" equipment.
To do this, zero trust involves adopting very granular, rigid user identification policies along with strict authentication that includes role-based, time, and/or location access as well as a host of other conditions for access to systems by individuals. Creating a zero trust architecture requires a number of different technologies working together. There is no off-the-shelf zero trust solution. The architecture is achieved by bringing together a wide variety of security components, including a policy enforcement point, Security Information and Event Management (SIEM), threat intelligence, security logs, and more.
With security breaches and ongoing support for a remote workforce top of mind, there are a number of events and resources available to help navigate the implementation of zero trust.
- The Impact of Telework on Fed IT Complexity (June 17, 2021; webcast) -- As agencies plan for employees to return to the office, either full-time or part-time, cybersecurity teams must prepare for a "new normal" in IT operating environments. This webinar will look at survey findings and provide takeaways including what the top security priorities are for agencies returning to the office, how the DoD differs from the private sector in cloud adoption and IT complexity, and what other challenges security teams are facing now.
- Zero Trust 2021 (August 31, 2021; virtual) -- This session will focus on the adoption of zero-trust security, bringing together agency IT leaders to discuss their successes and challenges with the architecture and how it fits with the new reality of a more remote workforce.
- National Cyber Summit (September 28-30, 2021; Huntsville, AL) -- With a focus on education, collaboration and innovation, this event brings together cyber leaders from government and industry to discuss security strategies across a number of tracks.
- Implementing a Zero Trust Architecture (white paper) -- The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. Enterprises must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client server as well as inter-server communications.
- Security Network Auditing: Can Zero-Trust Be Achieved? (white paper) -- Given that tablets and mobile devices have become an intricate part of business aids, all organizations will eventually integrate zero trust into their environments. Many third-party vendors market zero-trust tools; though, they only provide one or two pieces to achieve "true" zero trust. This paper looks at the layered approach to achieving the aims of zero trust.