The US Government will move to zero trust security by 2024. Is your business ready?
The US Government has put in motion a strategy for zero trust security, which applies to every federal agency and their suppliers.
The zero trust security model has become a cornerstone of information security in response to an increasingly sophisticated threat landscape. It is a collection of concepts and technical measures intended to minimize uncertainty when enforcing access controls to information systems. The goal is to prevent unauthorized access to data by making enforcement as granular as possible.
While there are several zero trust maturity models for businesses to follow, the most widely recognized in the US is the Cybersecurity & Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. This is based on the globally recognized best practices and standards codified by the National Institute of Standards and Technology (NIST), specifically in the NIST Special Publication 800-207.
What is Executive Order 14 028?
Executive Order 14 028 was signed by Biden on May 12, 2021, with the intention of bolstering the nation’s cybersecurity. It was a response to the many high-profile ransomware attacks and data breaches of the past few years, such as the SolarWinds hack and Microsoft Exchange server vulnerabilities. The order marks the US Government’s shift towards zero trust security, presenting a major policy change that aims to help standardize cybersecurity in both the public and private sectors.
The order applies to all federal agencies and their suppliers. Among the biggest challenges of the order was that it imposed a 60-day deadline on federal agencies to create plans for implementing a zero trust security framework in accordance with NIST SP 809-207.
How does zero trust security work?
An earlier memo released by the National Security Agency (NSA) in February 2021 describes a zero trust security framework as one that eliminates trust in any one element, node, or service and also assumes that a breach is inevitable. As such, the power of zero trust security hinges on concepts like continuous verification and the principle of least privilege to limit access to only the data that a device, service, or user needs to perform their roles.
Zero trust security presents a significant departure from legacy security models, which revolve around the concept of a perimeter. In these environments, once a device, service, or end user is already inside a network, they are considered trusted. However, in the distributed computing environments that almost all organizations rely on today, the idea of a perimeter has become largely irrelevant. Most importantly, with perimeter-based security, an attacker only needs to find their way past the perimeter, after which they will be free to move laterally throughout the network. By contrast, zero trust follows the principle of never trust and always verify to ensure a user is who they say they are and that their own account has not been compromised.
Although zero trust security should be applied to all systems that collect, process, or store any sensitive data, organizations should be especially mindful of how it effects their collaboration and communications platforms. After all, platforms like WhatsApp, Slack, and Microsoft Teams are common attack vectors for social engineering scammers using compromised accounts to dupe unsuspecting victims into surrendering sensitive information or downloading malware. In other words, you cannot automatically trust everyone who has access to the platform, just because they managed to log in.
Implementing a framework
Zero trust security is not a specific type of technical solution. It is a set of fundamental concepts that include explicit verification, least privilege access, and the assumption that the system in question has already been breached.
Explicit verification means that one-time validation is insufficient. Instead, all access attempts will need to be verified by at least two authentication factors before they can access the system and continuously verified throughout the session. For example, a user might be logged in to the system, but if their IP address suddenly changes, it might suggest that the device being used to access the service has been misappropriated. As such, zero trust policies rely on real-time visibility into user access sessions.
The principle of least privilege holds that no user or device should ever have access to data that they do not explicitly need to perform their roles. This stops attackers from moving laterally through a network. For example, there is no need for marketing teams to have access to the company’s financial accounts.
Finally, implementing zero trust requires a shift in mindset. In order to minimize the blast radius of an attack, you must always assume that your systems have already been breached. This ensures you take a proactive, rather than a purely reactive, approach to security.
By applying these principles to your business communication and collaboration systems, you can better protect your most valuable assets and achieve the standards mandated by the US government’s executive order.
Worldr brings zero trust security to your existing communications. Our solutions help you meet the demands of a constantly evolving regulatory landscape and adhere to new data protection laws. Get in touch today to request your demo.