FEDTECH: How does zero-trust architecture improve upon current cybersecurity measures?
Howell: It’s a fundamental change in concept and approach. Historically, most federal agencies have used the castle-moat approach, perimeter-based cybersecurity. You have firewalls protecting what is inside the firewall from all the bad actors outside. That no longer works. The reasons are cloud and mobile computing. There is essentially no perimeter anymore. The perimeter is the world.
Secondly, historically, if I allow you into my network or if you break into my network without approval, you have access to everything. What zero trust brings is a lot more interior segmentation. It’s finer grain control about where people can go, what machines they can get to, what data they can access and what they are allowed to do with it. If someone gets into your castle, they can only go into one room. They can’t roam the whole castle. It’s changing the default from “allow all” to “allow none.” Zero trust requires a proactive authorization to access and to do anything inside the systems.
Caron: Zero trust puts the focus on what you really are protecting, which is the data. Right now, we do this peanut butter spread approach, where we try to protect everything equally. That’s very compliance-focused and resource-intensive, but compliance doesn’t equal effectiveness. With zero trust, protecting the crown jewels is the most important thing. You are going to put the protections closer to the data and constantly assess risk.
READ MORE: Find out how the military branches are using zero trust.
FEDTECH: How is it different from standard endpoint security measures?
Cunningham: Legacy anti-virus has not proved effective. Therefore, zero trust approaches it from a different side, using application whitelisting and ring-fencing, among other things. There is a different way to prevent an endpoint from causing an infection at scale. We take the position that you are going to have an infection at an endpoint sooner or later. What we don’t want is for that endpoint infection to infect an entire network. Zero trust is focused on that very issue.