The idea of an easily contained network perimeter that exists only within the walls of an organization is a thing of the past. Maintaining data security in the current climate means contending with a rapidly expanding threat surface that includes workers making remote connections from  across the globe, off-site cloud data storage, and a myriad of devices accessing secure material. This means that the moat and castle approach to security where efforts are focused on keeping the enemy outside the perimeter is no longer sufficient. The federal government and other organizations are increasingly adopting the “never trust, always verify,” system of Zero Trust (ZT). Zero Trust operates on the premise that every access to a system, regardless of the user, device, network, or location could be compromised. Users and devices are strictly monitored, and data is compartmentalized in such a way as to minimize risk

Enhancing Identity and Access Management in Zero Trust

One of the basic principles of Zero Trust is robust identity and access management, which in practice means the first step in securing a system is implementing effective identity management protocols such as multi-factor authentication that ensure access is only granted to those with the proper credentials. In addition to establishing user authentication, it is also of the utmost importance to verify device security during this stage. Bad actors often exploit outdated devices or unpatched software to penetrate a system. Technology advancements such as blockchain, biometric identifiers, and artificial intelligence are being employed as additional authenticators in identity access management. While standard security would allow unrestricted access after identity authentication, a Zero Trust model would also tailor access to the specific needs of the user through micro-segmentation thus preventing access to any areas deemed unnecessary--an effective strategy that ensures if a system is compromised, the damage is compartmentalized, and lateral movement is contained.

Cybersecurity Initiatives in Government

In May of 2021, President Biden issued his “Executive Order on Improving the Nation’s Cybersecurity,” in which he cites the implementation of Zero Trust security as a fundamental element in securing the nation’s cybersecurity infrastructure. The timeline specified by this Executive Order (EO) requires that government agencies take significant steps towards compliance by the end of the 2024 fiscal year. This may be an overly optimistic timeline according to Taylor Armerding who writes in his blog for RSAC, “government IT has always been ponderously slow, in part because it has problems of scale—the bureaucracy is massive and unwieldy.” President Biden’s EO is a step in the right direction, but the switch to Zero Trust for some government agencies could be a complex endeavor that will take significant time to implement with fidelity. According to Ambler Jackson, “Individuals within the federal workforce who are responsible for Zero Trust programs might be surprised to learn that many of their current security controls already align to the five pillars of Identity, Devices, Networks, Applications and Workloads, and Data.” In an effort to streamline the transition process, the Cybersecurity and Infrastructure Security Agency (CISA) has established an office specifically for the purpose of overseeing and aiding government agencies in the adoption of Zero Trust.

For those individuals whose security controls do align to the five pillars, Jackson said, “the journey will consist of identifying technical solutions that will help mature their current security activities.”

Future Trends and Innovations in Zero Trust

Although Zero Trust can be an effective approach to ensuring cybersecurity, it is not without its drawbacks. Many legacy systems and software are incompatible with Zero Trust security protocols and can become increasingly complicated to incorporate into a Zero Trust architecture. Even without legacy issues, effective Zero Trust systems that are constantly monitoring user authentication, effectively compartmentalizing areas of access, and managing all of the devices that access the system can be complex and expensive to establish and maintain. In addition, many users report that Zero Trust systems can be frustrating and provide unnecessary impediments to information that the system has segmented. Ultimately, these difficulties are insignificant in the face of the costs and inconveniences associated with a system breach by malicious actors.

Zero Trust will continue to evolve as new technologies become available. Artificial intelligence (AI) and machine learning (ML) are already being employed in the field of secure identity access management and they are also starting to be used to analyze behaviors and monitor access for anomalies that could indicate a threat. The growing automation associated with AI and ML will reduce some of the associated costs that currently prevent some organizations from adopting Zero Trust. While not a panacea, widespread adoption of Zero Trust will help the US government and other organizations raise the level of their cybersecurity and minimize risks associated with a breach.

To learn more about Zero Trust visit RSAC Marketplace where you can find a wide range of cybersecurity vendors and service providers who can assist with your specific needs.