Zero Trust: A Holistic Approach
The President’s Office of Management and Budget (OMB) released M-22-09 last month, announcing it will require all federal agencies to move toward a Zero Trust Architecture (ZTA) by FY24.
BluVector has worked closely with large government agencies since our inception, and we’re encouraged to see clear direction toward a common cybersecurity strategy.
After more than a decade of offering our machine learning technology to secure our nation’s most sensitive data and helping to protect one of the largest and most advanced ISPs in the western world, we’d like to offer our perspective on Zero Trust as a holistic philosophy toward cybersecurity.
Trust nothing, verify everything is a time-tested principle that has been crucial to designing modern IT networks. It’s also a tall order and we invite agencies and large-scale enterprise organizations to view Zero Trust as a continuous journey, not an end state. We continue to recommend implementing a layered defense that increases visibility across the entire network and connected endpoints to analyze all data for any malicious code.
Perimeters aren’t what they used to be
Even though Zero Trust doesn’t mean Zero Perimeter – like it or not, as remote work becomes the new normal for more federal and civilian employees, we are moving away from the security of trusted networks. New identities and devices join our expanded networks daily, running new applications and pushing more data from unknown places. In this brave new world, it’s more important than ever for the cybersecurity teams protecting critical infrastructures to assume other users, systems and networks are already compromised. These practices have been adhered to by cybersecurity professionals from time immemorial and must not be forgotten as our industry adopts a new buzz word into our lexicon. The task of hardening these infrastructures against growing threats is paramount and all who undertake it should choose their approach early enough to ensure it aligns with their planned IT investment.
Encrypted doesn’t mean protected
Encrypted data can be deleted, accessed later in memory after it has been decrypted, re-encrypted, or stolen and saved for future decryption with more advanced technology. In a ZTA, it’s imperative to encrypt all network traffic in transit, both DNS and HTTP. But operating on an open network gives the adversary many vantage points to monitor your network traffic as well. And if they can gain access through a backdoor left open on a legacy system with pre-existing accounts, whether your DNS is encrypted or not is the least of your worries. In an IoT environment, securing all the endpoints you can won’t secure your system, but might simply create a false sense of security. Remember, every single point of failure has the potential to become target number one.
Finding the adversary already in the system
Some large technology ecosystems may be currently compromised with threats that can lie dormant for months, maybe years. Putting new locks on a compromised system won’t mitigate this threat, but instead may obscure it, further enabling entrenched bad actors.
Moving toward a ZTA must be phased in, networks swept clean and continuously monitored for malicious behavior while adopting new technology and processes to better protect systems that will be open to everything – any human error or patch delay will result in immediate vulnerability.
Considering the current threat environment addressed in this memo, we recommend building a layered cybersecurity defense in order to effectively institute Zero Trust principles across any large enterprise – especially those defending our nation’s vital institutions. This will require developing a high level of cybersecurity maturity across your entire organization, investing in technology that empowers your security team to hunt effectively while protecting them from alert fatigue, and adopting policies that will allow your broader workforce to operate safely in the Wild West of the open Internet.
BluVector provides advanced machine learning cybersecurity technology to commercial enterprise and government organizations. Our innovative AI empowers frontline professionals with the real time analytics required to secure the largest systems at scale.
Learn more about our philosophy of Zero Trust and understand how BluVector can be deployed to enhance your security stack. For more BluVector guidance on implementing ZeroTrust, read Implementing Zero Trust Principles at Scale by Scott Miserendino, Ph.D.