Zero Trust Is About More Than New Technology
The path to containing hackers differs from agency to agency, depending on the existing infrastructure. Achieving that goal, and staying up to date once it’s reached, takes some work.
President Joe Biden’s executive order on cybersecurity, issued in May, includes zero trust as one of the four pillars agencies must use to build a solid security foundation. The others are multifactor authentication; identity and access management; and supply chain and Internet of Things security.
While the EO targets federal agencies, third-party vendors must also learn more about cybersecurity, given that their products can be unwitting vectors for malware. More important, sellers will have to learn to make the concept of zero trust simpler for buyers.
Many agencies still view zero trust as a new infrastructure built with a host of new technologies that they’ll have to buy. While new purchases may be necessary, the idea remains the same: Do I know that the email you sent me really is from you?
To build an environment in which the answer to that question is always yes, an agency must ask other questions. For example: Are we relying on a cloud environment? If so, is it hybrid or multicloud? Is it on-premises or off? Depending on the answers, an agency may be able to reach zero trust on its own.
If the environment is a complex or aging one, the agency may need external architects and engineers to help develop zero trust.
An outside set of eyes can help an agency see vulnerable spots it might have missed, places where a malicious actor could breach a system or upload a little ransomware.
Cybersecurity User Training Is Key to Zero Trust Success
Then comes the next important question: Are network users educated? Do they know what a fake email looks like? Do they know not to open unusual attachments? An agency can control all the technological measures it wants, and then a threat comes in attached to an email that a worker opens without thinking — and the attack has begun.
Most major breaches in 2021 were ransomware attacks launched through phishing, which agencies can avoid with education. Sometimes, the only clue an email is not legitimate is a sole incorrect letter in the email address or one misspelling in the body.
Zero trust, you see, is more than just adding technology — it’s education for the human elements of the network. The federal government seems to be a less popular ransomware target, possibly because of policies and procedures that protect classified information. Individual users are still the weak link, however. Today, federal employees have to examine every piece of email with suspicion and consider everyone a threat, and that’s a thought that they wouldn’t have had a few years ago.
Agencies rely on CTOs and CISOs to have the right appliances and software to protect the network, and to vet all the traffic coming in and out. But to be truly effective, the zero-trust environment must also exist in users’ minds.