Zero Trust and Why it’s Important for every organization
The recent SolarWinds and Colonial Pipeline attacks have clearly demonstrated that traditional approaches to Cybersecurity aren’t working. More needs to be done from a “Defense In-depth” perspective and security teams need to take a more innovative approach to secure their networks, assets, and data. As defined by NIST (SP 800–207), “Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated… The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.” In short, Zero Trust is built around the concept of “never trust… always verify.”
Why do we believe the concept of Zero Trust is important for every organization, both Federal and commercial? Today, most enterprise infrastructures are very complex, with multiple internal networks intertwined with cloud assets and services, along with remote workers, etc. Over the past decade or more, there has been a shift away from the old “moat and castle” approach to cybersecurity, as security teams have found legacy methods of perimeter-based security can’t be accomplished any longer. Organizations and Federal Agencies cannot just guard and protect their network parameters and expect their networks to be secure. These same organizations and security professionals who support them need to work off the mindset that their networks and systems are already compromised, and need to focus on mitigating lateral, unhindered movement across their networks. The Zero Trust model and concept was developed to address this very challenge.
Executive Order on Improving the Nation’s Cybersecurity
On May 12, 2021, President Biden signed an Executive Order (EO) to improve the nation’s cybersecurity and protect federal government networks. In this exceptionally detailed EO it stated “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.” One major focus area is a mandate for Federal agencies is to modernize cybersecurity by developing and implementing a comprehensive Zero Trust plan. This plan must be comprehensive to include cloud computing resources. Keep in mind that, this Executive Order requires all U.S. Federal Agencies to meet various Zero Trust milestones over the next 60, 90, and 180 days.
Where to Begin — Learn how S2 addresses the requirements outlined in the Executive Order including:
- Begin creating a ZT Strategy today with a rapid implementation plan.
- Implement consistent security practices among cloud computing, SaaS, and data centers.
- Cloud Security Engineering and Architecture to meet Federal Government standards.
- Implement and validate encryption standards, including network-wide multi-factor factor authentication.
- Implement automation and orchestration to enforce ZT principles.
- Implement an Identity and Access Management (IDAM) solution.
- Enhance Software Supply Chain Security.
- Protect the integrity of critical software that performs functions critical to trust.
- And more…
Learn more and how we can help your organization: https://www.stage2sec.com/zerotrust