In recent months the White House has announced a new Federal strategy to adopt a Zero Trust approach to cybersecurity. One of the key aims is for the private sector to adapt to the continuously changing threat environment. This means that corporations must ensure their products are built and operate securely.
The paper also presents a social democratic public-private approach to address market failures (“cybersecurity requires more than government action”), calling on firms to partner with the Federal Government to foster a more secure cyberspace.
Of particular interest is the NIST 800-207 portion of the memorandum, where the aim is to help to reduce the cyber risk posed by distributed workforces and data.
Zero Trust refers to an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources. To support this, Zero Trust Architecture is required, where Zero Trust principles are used to plan industrial and enterprise infrastructure and workflows.
Craig Mueller, of iboss, tells Digital Journal that to achieve the aims of the memorandum will be challenging for many companies and that additional resources will be required to support the recommendations.
As Mueller explains: “Cloud Service Providers (CSPs) that cannot make all applications and resources private, including those in the cloud, will fail to reduce cyber risk and deliver on the Zero Trust model as outlined in the NIST Special Publication 800-207 mentioned in the memorandum.”
Therefore, to meet the aims, Mueller recommends: “Cloud Service Providers will require a containerized cloud architecture to ensure cloud applications become completely isolated and only accessible specifically to trusted users.”
Mueller sees cloud-based containerized architecture as critical for cybersecurity, with the aim of keeping organizations safe without impacting their productivity. Cloud-based containerized architecture packages software and its dependencies in an isolated unit (the ‘container’), which can run consistently in any environment.
Furthermore: “With a containerized architecture, the federal government can implement the goals of the memorandum and ultimately protect and isolate all resources, regardless of location, while granting access to those resources to trusted users working from anywhere.”