The U.S. Government issued requirements for agencies to meet zero-trust architecture standards by September 2024
Zero-Trust is vital as workloads push to the cloud and the perimeter continues to disappear
The Government’s 5 Pillars can guide your zero-trust approach
Zero trust strategies look set to play a crucial role in cybersecurity over the next five to ten years. By removing any default trust given to devices, users, or services inside or outside a network, zero trust promises to strengthen security and reduce risk exposure beyond what’s possible with a perimeter-centric set of policies and tools.
The US government recognizes zero trust’s importance too. A January 2022 memo outlined the US government’s intention to transition Federal agencies toward a “zero trust” approach to cybersecurity by 2024.
While zero trust sounds conceptually simple, its implementation is challenging given the complexity of modern IT environments even in small to mid-sized companies. Achieving optimal zero trust maturity takes a timescale of years, and the 2024 deadline for Federal agencies seems both overly optimistic and aggressive.
Zero Trust is not a product, but a concept and you may already be doing certain aspects of zero trust. There are some vital takeaways within these government guidelines that you can use to lay the foundation for a zero-trust approach. Here are some key zero trust actions you can take across five security pillars outlined by the US government.
Five Security Pillars (per the US Government)
1. Identity
At its heart, zero trust transforms security from being perimeter-centric to identity-centric. The necessity of this change stems from the fact that perimeter security doesn’t provide enough protection against modern cyber-attacks.
Threat actors continue to breach organizations using weak or stolen user credentials. Once inside the network (and beyond most perimeter controls), adversaries use tools and tactics to move laterally and escalate privileges until they access the most sensitive data and infrastructure.
Here are some suggestions for better securing against identity-focused cyber-attacks.
Use Centralized Identity and Access Management (IAM) — strictly controlling access and always verifying users in line with the zero-trust principle requires a centralized IAM solution. This solution must integrate with the apps and services used throughout your IT environment so that you can verify user identities wherever any access request occurs.
Mandate Multi-factor Authentication — requiring users to provide an additional category of evidence to prove who they are is essential in achieving the robust authentication called for by zero trust. It’s important to use MFA across the business, not just for a select few services or applications. It’s also vital that requests for additional verification are contextually applied to access requests and high-risk transactions rather than challenging users every single time they do something. You don’t want security controls to frustrate users and impede their productivity.
Track User Authorization Traffic — While IAM and stronger authentication set the groundwork for securing user identities, tracking, and analyzing authorization traffic provides additional information to ensure access requests are appropriate and secure. This authorization traffic could include the device from which access is requested or the IP address.
2. Device Security
Zero trust applies to the devices connected to your network. But with the widespread adoption of WFH and hybrid workforces, many devices connect to networks that organizations can’t track. Here are some ways to get control over device security:
Inventory Your Assets — An asset inventory provides a complete understanding of the devices and software interacting within your environment. With devices coming and going regularly, and new apps being used all the time, automated discovery is paramount in building this inventory.
Deploy An XDR End Point Solution — XDR provides excellent visibility into device, cloud, and network threats, alongside data collection to both establish and continually assess device trust. With XDR, you can flag suspicious device activity, detect in-progress threats, and quickly respond by revoking access.
3. Networks
Although many critical apps are moving to the Cloud, there is still a network environment that needs securing if you want to achieve a zero-trust approach. Traffic moves around this environment constantly, and poor security practices can lead to sensitive data compromises or facilitate lateral movement. Some recommended actions include:
Encrypt Traffic — The premise of never trusting extends to the data packets and other traffic in your network. Anyone snooping on this traffic can potentially access sensitive data if you don’t encrypt it.
Use HTTPS for Web and API Traffic — When applications speak to each other and to users through web browsers, those communications need to be secured. Malicious threat actors can easily intercept unsecured web and API traffic in an attempt to steal information that other zero trust controls would protect. Use HTTPS to secure all web and API traffic in your environment.
Segment Where Possible — Perimeters guarding the network boundary may no longer suffice. However, network segmentation constructs ‘microperimeters’ around particularly sensitive data or systems. With segmentation in place, lateral movement becomes more challenging and the overall attack surface decreases.
4. Applications and Workloads
Applications, their components, and their workloads are a constant source of security threats. The Log4j incident reinforced this lesson with attempts to exploit it spreading like wildfire and targeting businesses globally. Here’s how to get better control of application security.
Test Applications Regularly — Companies use many different applications to meet different business needs. Thorough testing of these applications ensures they aren’t vulnerable to sophisticated cyber-attacks that might compromise security in a zero-trust environment.
Manage Your Vendors — Third-party validations from security experts also prove useful in making sure applications purchased from outside vendors are secure. Request penetration test results and security reports from your vendors to solidify security in your company’s app ecosystem.
Prioritize Immutability — When deploying apps to cloud infrastructure, immutable deployments mean that you reduce potential security risks introduced by changing codes, operating systems, or libraries in that deployment. Instead of an in-place tweak, immutability requires the redeployment of reliable, predictable, and scalable application workloads for improved security.
5. Data
Data is ultimately what many cybercriminals want to get their hands on when attacking businesses. Here are some tips for protecting data in line with the zero-trust model.
Tag and Manage Sensitive Data Access —Not all data needs the same level of protection. It’s essential to have a system in place that categorizes and tags sensitive data so that you know how to best manage access to different resources. Tagging also aids in the early detection of anomalous access behavior for sensitive files or documents.
Implement Comprehensive Logging — Logs play an important part in helping businesses efficiently investigate and recover from security incidents targeting sensitive data assets.
Audit and Monitor Cloud Data Access — 35 percent of SMBs spend between $600,000 and 1.2 million each year on public cloud services. Many of these public cloud services are used to store data or run applications that access databases. Auditing and monitoring cloud data access ensures that users are requesting access to the expected cloud resources in line with normal activity.
How to Begin on you Zero Trust Journey…
As you read the 5 Pillars, you probably said, “we kinda do that already.” That’s very common and what we’ve found is that huge leaps towards ZTA can be achieved with a bit of tweaking, followed by defined projects to close gaps.
We've written a planning guideline that will help you on your journey. Get it now for free: