The Biden administration is releasing for public comment a draft version of its strategy for implementing “zero trust” principles across federal networks. The U.S. government sees zero-trust networking as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users’ access to data and protect network traffic from prying eyes.
What does this approach mean for businesses and consumers? James Carder, Chief Security Officer at LogRhythm, has looked into the matter for Digital Journal.
Carder begins by considering the overall context for the approach from the White House: “This year has been a hotbed for cybersecurity hacks and breaches. Criminal organizations and nation state threat actors continue to ramp up attacks on our government and critical infrastructure entities like we have seen with the Colonial Pipeline attack, Solarwinds, JBS, and the attacks on California and Florida water systems.”
Therefore the U.S. government’s response is understandable: “This call for public feedback follows the Biden administration’s executive order in May that called out a directive for federal government agencies to develop a plan to advance towards a Zero Trust architecture.”
In a sense, Carder says, this represents a paradigm shift: “Although agencies are still defining a more technical and specific process for implementation, this is a huge step in modernizing U.S. government security defenses and raising awareness to all federal, state, and local organizations to make security a top priority.”
So, what does the approach entail? Carder provides a working definition: “Zero Trust is based on the concept that threats exist inside — as well as outside — network boundaries. A Zero Trust security model questions whether users and devices can be trusted based on their location on the network.”
Carder expands on the advantages: “Zero Trust embeds comprehensive security monitoring in a coordinated manner throughout the entire infrastructure to focus specifically on protecting critical assets and data in real time. This data-centric security model assumes the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are required for allowing or denying access. Government entities that adopt a Zero Trust security model into their infrastructures will protect resources and minimize data breaches when they happen.”
Carder adds to the benefits: “A Zero Trust architecture is an ideal way to thwart attacks against federal agencies and critical infrastructure by making them less like low hanging fruit. However, as with anything, the implementation of a Zero Trust architecture takes time, investment, and can initially be a disruption to these organizations. The Cybersecurity and Infrastructure Security Agency is releasing a maturity model that provides a roadmap for federal agencies this week. A Zero Trust architecture can be applicable to federal agencies, critical infrastructure and the supply chains that support them.”
According to Carder, the moves by the U.S. government should be supported: “The Biden administration has already taken steps to address cybercrime by allocating funding to secure and improve government technology and security, and this latest call for feedback on its Zero Trust strategy shows that the federal government is extremely serious about working to ensure national security is preserved. We will continue to see a push from the U.S. government to create new regulations and strategies that protect our government entities and the general public.”