Without Zero Trust, Data Is Nothing
Zero trust is the only way to go for data security, but it will have many parents as it is developed and evolves to meet oncoming challenges. Both government and the commercial sector will be crafting its architecture to meet rapidly changing threats from across the cyber spectrum, and its adoption cannot come soon enough.
That was the message delivered by two experts—one from government, the other from industry—at a micro keynote on day two of AFCEA’s TechNet Cyber, being held in Baltimore May 2-4. Zero trust is well on its way, and support for it is growing among participants. But challenges remain and cultural issues must be addressed.
Randy Resnick, director, Zero Trust Portfolio Management Office, Office of the Department of Defense Chief Information Officer, stated the goal is to achieve target level zero trust in 2027. “Target level for us means being able to stop the adversary,” he explained. “There is a lot of science that goes behind how we define our activity level and our capability level.” If a target is met, it will represent “very swift resistance” to any form of attack, he offered.
Zero trust is, no doubt, a paradigm shift in cybersecurity,” he declared. “It is a new way, it is the only way, that we can protect our data from adversaries going forward.”
Tactics, techniques and procedures are changing and becoming more sophisticated, he continued. The Defense Department believes that zero trust “is the exact model” that can stop the increasingly sophisticated cyber attacks.
Unlike many other vital defense projects, funding is not the primary issue. Timeliness is, Resnick offered. The effort must stay on schedule with the proper products from vendors to create the correct solution.
Key to success will be multivendor integration. No single vendor will solve the problem, so the department will need integrated solutions from two or more vendors that cover the mapping of the activities, he said. Vendors should map their products and services against the definition of zero trust based on the department’s seven pillars of zero-trust activities, Resnick emphasized. And, software should be written to be zero-trust aware.
Many parties are working on adopting the department’s work by focusing on the large themes of that have been determined. This approach will help guarantee interoperability and a singular focus from the vender perspective, he added.
Foundational documents—such as the DoD Reference Architecture 2.0, the strategy and the implementation plan—already are available. This summer will see the zero-trust overlay for NIST 800-53. This would complete the entire set of documentation required to help everyone attain zero trust as quickly as possible, Resnick stated.
Not only is Resnick’s portfolio office working on the information technology aspects of zero trust, it also is working on other supporting entities such as policies, doctrine, training and logistics, he pointed out. The office is working with the Defense Acquisition University and individual agencies, and it is on target for delivering three zero-trust courses within the Defense Department. One, the basic awareness course, already is available on Joint Knowledge Online for both military and civilian personnel.
The vendors’ role, along with the importance of a zero trust approach, were emphasized by Jim Cosby, chief technology officer, U.S. Public Sector and Partners, NetApp. He noted that last year, 18 percent of data breaches were from insiders. With zero trust, most of them would not have had access to that data. This is not to denigrate network security, he emphasized. Both network and data protection are needed, as the network must be authenticated and the data aspect must be robust.
“We can have all the apps and networks and servers in the world we want,” he stated. “But if we don’t have any data, we don’t have anything. Data is the new oil of this economy.”
The first step is to identify data, then classify it and categorize it. That will illuminate what is sensitive and needs to be encrypted and protected, Cosby suggested. And these best practices must run from the edge, to the core, to the cloud, to the multicloud. “You don’t want a hole showing up anywhere just because you went from one cloud to another or one location to another,” he said.
Also, data must be backed up for instant recovery as much as possible. Cosby noted that attackers are getting into customers’ environments and encrypting data while destroying the backup data first. The customer must pay the ransomware extortion to recover the data. Countering this will require immutable backup to a known backup that cannot be deleted either within or from outside.
But, Cosby emphasized, at the end of the day the data is where the microcore and perimeter security is established. Resnick returned to zero trust as becoming dominant for security. Noting that an advanced version of the Defense Department’s Identity, Credential and Access Management (ICAM) strategy is foundational for zero trust, he envisioned a future where data security dominates.
“[Using] network cybersecurity to protect the data is going to be less and less and less,” he declared.