Trusting Zero Trust Architecture
Getting the cybersecurity method right is more complex than it seems.
Many federal government agencies are interested in improving their cybersecurity by moving to a zero trust architecture model. But such a move, while very beneficial to the organization, is a complex and involved process that requires some fundamental changes in how security and operations are approached, says Don Maclean, chief cybersecurity technologist for DLT Solutions.
Zero trust architecture is a cybersecurity concept that assumes a network is or will be compromised and takes steps to protect data at every potential point of access.
DLT divides cybersecurity into two broad categories: innovative, forward-leaning technologies and foundational technologies. While new and novel approaches get a lot of attention, foundational systems are perhaps more important—especially to government customers who still focus much of their spending on this category.
“Any major undertaking implementing a zero trust architecture requires a solid foundation” based on these core technologies, Maclean told Kimberly Underwood, SIGNAL Magazine’s senior editor, during a SIGNAL Executive Video Series discussion.
Maclean notes that foundational cybersecurity technologies such as endpoint security, encrypting data (such as file and database encryption) and identity credential management aren’t necessarily associated with zero trust architecture in people’s minds but they are essential to successfully using implementing it.
Once they have the core basics in place, agencies can begin thinking about newer technologies like micro segmentation, software-defined networking, and the ability to respond quickly and automatically to an incident. This latter capability is done via micro segmentation and is important because it allows organizations to isolate individual systems or networks without having to human intervention. “If you can isolate single systems, that’s a lot better than having to cut off all network services to everyone,” Maclean said.
One of the misconceptions about zero trust is that it is a single, well-defined architecture or something that can be implemented by purchasing one or two technologies. “It’s not just something you can go out and buy,” he explains.
Perhaps the biggest pitfall is human—changing certain core assumptions about security. Maclean cites the example of Google, which got rid of its VPNs and firewalls, something that goes against traditional cybersecurity thinking. “That’s a pretty big mindset change” that requires work to change, he said.
The final thing about zero trust is that it’s an ongoing process, not an end in itself. “You’re not trying to implement zero trust, what you’re trying to do is make your network more secure,” Maclean said.