The zero trust cybersecurity framework has been gaining momentum among organizations over the past few years as corporations and government agencies have struggled to enhance security with the de-emphasis on the network perimeter. When the COVID-19 pandemic hit and forced much of the world to interact exclusively online, the sense of urgency around zero trust security and the “never trust, always verify” philosophy behind it reached a new level of importance.
Suddenly, employees shifted to remote working and accessing resources from home. Online shopping and e-commerce became the main channel for transactions among organizations and individuals. While the shift provided many positive opportunities, it also paved the way for bad actors to find more ways to break into networks and systems. The result? A need for stronger defenses with the awareness that bad actors only need to find one entry point while organizations must work to defend their entire footprint.
In May 2021, an executive order from the White House calling on federal agencies to implement a zero trust architecture brought even more awareness and attention to this concept of zero trust security.
Keys to Success
Zero trust security strategies have been around for over ten years, and the model continues to evolve. Two panel discussions held recently by the Identity Defined Security Alliance (IDSA), National Cybersecurity Alliance and NIST National Cybersecurity Center of Excellence offered advice and helpful resources.
According to experts on the “Making Sense of Zero Trust: Perspectives from Inside and Outside Government Organizations” panels, managing identities is one of the keys to success with zero trust. A true zero trust environment includes a strong identity and access management framework. The following components are key to success:
- Unique identifiers - Each user must have an identity for authentication and authorization, but more information is needed to implement this framework. User and device information must be classified when devices have access to networks and systems. This combined information helps create a profile that includes a unique identifier for identity and access management (IAM) deployments. The resulting “trust score” helps determine provisioning rights, privileged access, physical access and other IAM functions.
- Collaboration framework - Another best practice is to have a framework that encourages collaboration among those who manage systems and data. This type of framework leads to better user experiences and can uncover ways to increase efficiencies through automation and other process improvements.
- Culture - Finally, creating a culture that recognizes and emphasizes the importance of cybersecurity throughout the organization is important for zero trust security to be successful.
Tapping into Resources
Part of an effective zero trust security strategy involves leveraging external industry resources to help strengthen the program even further.
Among the helpful resources available to security teams is the National Institute of Standards and Technology’s (NIST) Zero Trust Architecture (ZTA). The NIST document describing the architecture covers zero trust basics, logical components of ZTA, deployment scenarios/use cases and threats associated with ZTA and ZTA. It also covers possible interactions with existing federal guidance and migrating to ZTA.
Another resource is the Department of Defense (DoD) Zero Trust Reference Architecture, prepared by the Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. The reference architecture describes standards and capabilities, and DoD noted that the architecture would evolve as zero trust requirements, technology and best practices evolve and mature.
The non-profit IDSA has also published the vendor-neutral Identity Defined Security Framework, collaboratively developed by 30+ identity and security vendors, solution providers and customer advisory board members. The framework consists of identity security best practices and outcomes and direct mapping to the NIST zero trust architecture, providing an additional identity security focus.
By utilizing available resources and deploying best practices, organizations can build and maintain a zero trust cybersecurity program to help protect against growing threats in this distributed environment.
Zero trust is much more than an industry buzzword. It’s a transformative way of thinking about security that improves security while reducing user friction and has become necessary in an increasingly challenging risk environment