Why Businesses Should Follow Government In Adopting Zero Trust Cybersecurity Strategies

The Office of Management and Budget (OMB) released this week their strategy to move the U.S. government toward a “zero trust” approach to cybersecurity.

According to a memo from the OMB, “A key tenet of a zero trust architecture is that no network is implicitly considered trusted—a principle that may be at odds with some agencies’ current approach to securing networks and associated systems. All traffic must be encrypted and authenticated as soon as practicable.”

The OMB said the new strategy, “… is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.

The strategy represents another step in implementing President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures that reduce the risk of successful cyber attacks against the federal digital infrastructure.

Critical In Protecting IT Systems
Michael Friedrich, vice president of secure access company Appgate Federal Group, said that, “Applying Zero Trust security principles [are] critical in protecting our nation’s IT systems, data and critical infrastructure.

“The White House’s Zero Trust architecture strategy’s detailed road map— with important requirements for encryption, multi-factor authentication, strong identity management, network segmentation and continuous, dynamic policy enforcement—is a significant step forward.

He noted that, “Cyberattacks are more frequent and damaging than ever before, and traditional, perimeter-based security models are no match for them. With the proliferation of digital technologies, and the shift to cloud computing and a remote workforce, it’s imperative that organizations in both the public and private sectors shift to a Zero Trust mindset centered on trusted identity vs. perimeter-based security.

“Doing so will help protect the U.S. government from many future cyberattacks because in a Zero Trust architecture, users and devices can only access resources they are authorized to see,” Friedrich predicted.

Other cybersecurity experts weighed in on why those in the private sector should implement their own zero trust strategies—if they have not done so already. The failure to implement such strategies could create cyber-related crisis situations for companies and organizations.

Companies Are Just As Vulnerable As The Government
Torsten Staab is the chief innovation officer for cyber, intelligence and services within the Raytheon Intelligence & Space Business and serves on the President’s National Security Telecommunications Advisory Committee. He said that, “Companies are just as vulnerable as the federal government when it comes [to] being the potential target for a cyber attack. Ransomware attacks, industrial espionage, and intellectual property theft are prime examples for why companies should also embrace and rapidly adopt a Zero Trust-based approach.

“While Zero Trust will not stop future cyber attacks, it will make it much harder for anyone, whether they are on the outside of a network trying to get in, or are already inside your network (commonly referred to as an insider threat), to mount a successful cyberattack.”

‘A Priority For All Enterprise Organizations’
Benny Czarny is the founder and CEO of OPSWAT, which provides zero-trust infrastructure protection services. He observed that, “After a series of high-profile cybersecurity incidents over the past years, such as SolarWinds, Microsoft Exchange, Colonial Pipeline, and others, both public and private sectors are coming to understand the importance of defending against targeted and sophisticated attacks—particularly in the critical infrastructure industry.

“The most recent National Security Memo and Federal Strategy are reminders that organizations – both public and private – have a responsibility to protect both IT and Operational Technology (OT) environments.

“Privately held organizations can be just as vulnerable as public and government entities and can become easy targets for cybercriminals if proper controls aren’t in place. Defending our nation’s critical infrastructure should be a priority for all enterprise organizations and understanding how to manage the protection of these environments should be a collaborative effort between both IT and OT security teams,” Czarny commented.

All Network Traffic Is A Potential Threat
Therese Schachner, a cybersecurity consultant at VPN Brains, observed that, “Zero Trust architectures treat all network traffic as a potential threat, following the principle [of] “never trust, always verify”.

“Companies and other organizations would benefit from following the U.S. government’s lead in adopting Zero Trust architectures. Many of these organizations have access to financial, medical, or other confidential data or provide essential operations and services on which consumers and the supply chain are heavily reliant, such as software and electric power.

“Zero Trust architectures help stave off cyberattacks to keep this data private and allow these essential networks to continue to function properly.”

‘A Long-Term Effort’
Tony Cole is a cybersecurity expert with more than 35 years’ experience and today is the Chief Technology Officer at Attivo Networks. He noted that, “Zero trust has been a model that’s been around for many years [and] quite frankly it’s high time every major enterprise gets on board with it.

“The concept of assuming you’re breached is really the kicker to change your entire model and detect attackers that sometimes [previously] had minimal effort…to move through a compromised enterprise.

“Zero Trust is certainly not a static thing, it’s a long-term effort and very dynamic journey requiring commitment across the company from the board to the help desk. At this point in time, many smaller companies will have a lot of challenges in attempting this journey, hopefully many of their managed services providers will help build a path for those less resourced to also be successful,” Cole concluded.

Source: Forbes