Fact or Fallacy: Sorting Out the Concerns About Zero Trust
Traditionally, cybersecurity professionals designed, built and managed controls with a location-based approach. A strong perimeter separated systems inside the network from those that were outside. If you were inside, you had broad access to a wide variety of resources; if you were outside, you could only use public-facing systems.
Location-based approaches, however, have two significant drawbacks. First, intruders who gain access to an internal network will face few additional security controls as they move laterally around the network. Second, a malicious insider can exploit their privileged access and cause significant damage to the organization.
The zero-trust approach — the most recent evolution of network security concepts — abandons this perimeter-focused mentality. Instead, it makes security decisions based upon the identity of a user, rather than the network location of that user’s device.
Federal agencies are now working toward zero trust, spurred on by a 2021 executive order and directives published in January that require them to achieve specific zero-trust goals by Sept. 30, 2024.
Let’s dig into this trend and look at some of the key facts and fallacies surrounding the move from traditional security approaches to a zero-trust network architecture.
READ MORE: We've got the answers to basic questions about zero trust cybersecurity.
Fact: Many Organizations Are Already Planning a Zero-Trust Approach to Security.
Zero trust is no fad. It’s a fundamental shift in the way that organizations approach network security, and it’s becoming more common. In a survey done in January by Fortinet, 85 percent of respondents indicated that they have a zero-trust strategy in place, and 40 percent of those said the strategy was fully implemented.
When asked why they were pursuing this approach, the top three reasons given were to minimize the impact of a breach or security intrusion, to secure remote access, and to ensure business or mission continuity.
These compelling advantages explain why most cybersecurity leaders are moving in this direction. The rise of telework in the wake of COVID-19 accelerated the need to adopt these strategies, as organizations found themselves needing to abandon location-based security rules to enable remote access.
It’s unlikely that those strict perimeter protection policies will ever return, as organizations and their employees have adapted to remote and hybrid work.
Fallacy: We Are Behind the Curve If We Haven’t Implemented Zero Trust.
While Fortinet’s survey showed that most organizations are adopting zero-trust approaches, that doesn’t mean the transition is complete. The same survey found that the majority (54 percent) are only midway through. It’s important to recognize that the Fortinet results come from all industries; the public sector commonly lags behind the private in the adoption of new technologies and approaches.
That said, the time is ripe for the adoption of a zero-trust approach to network security. In addition to the rising demand to support a remote workforce, zero-trust strategies are crucial to combatting modern, sophisticated threat actors. Federal government agencies are prime targets for cyberattacks, and a zero-trust security strategy can help reduce the likelihood that a security incident will occur in the first place, as well as the impact of incidents that do occur.
LEARN MORE: Build a zero-trust architecture with these five steps.
Fallacy: Shifting to Zero Trust Requires Abandoning Existing Cybersecurity Infrastructure.
On the contrary, many existing core cybersecurity technologies provide the foundation for zero-trust implementations:
- Identity and access management platforms that support strong multifactor authentication to provide confidence in the identity claims made by users
- Next-generation firewalls to enforce identity-based security policies
- Privileged access management solutions to monitor and manage the use of administrative accounts
- Cloud security posture management technologies that provide the ability to enforce security policies in the cloud
- Next-generation endpoint protection solutions that perform behavior-based monitoring and identify anomalous activity
- Network access control solutions that prevent unauthorized devices from connecting to wired and wireless networks
Agencies with these technologies in place may find that they simply need to either reconfigure those solutions or purchase add-on modules in order to implement the identity-based security controls preferred in zero-trust implementations.
Fact: Moving to Zero Trust Should Be a Long-term Objective.
While agencies choosing to adopt zero-trust strategies may certainly find themselves carrying out projects along the way, the approach itself is not a short-term project that can be quickly checked off a list.
Instead, moving to zero trust is a philosophical and cultural shift. Cybersecurity teams that embrace zero trust adopt a new way of thinking that focuses on building identity-based controls. That requires a long-term commitment that will permeate virtually every future technology project undertaken by an agency and will affect every single worker.
Zero trust is the next evolution in network security philosophies. Agencies that have not already begun their transition to this approach should begin to plan how it will impact their security programs moving forward.
Shifting away from a location-based security philosophy is crucial to enabling the future of remote work and protecting agency systems and information from emerging threats.