Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Zero Trust or Bust?

Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition

Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition

The use of a Zero Trust model to minimize cyber risk exposure has returned to the spotlight after a report by the U.S. House of Representatives’ Committee on Oversight and Government Reform detailed the events leading up to the sweeping hack of the U.S. Office of Personnel Management (OPM). One of the report’s recommendations was for Federal information security efforts to move toward a Zero Trust model, in which users inside a network are treated as no more trustworthy than users outside a network. However, is this alternative approach really an effective measure to minimize cyber risk or does it just create new challenges?

In June 2015, the OPM, which is responsible for checking the backgrounds of a large majority of Federal government job applicants and contactors, revealed that 4.2 million personnel records of former and current Federal employees had been compromised. A month later, the true scope of the data breach came into focus when the agency reported that background investigation data for 21.5 million individuals as well as the fingerprint data for 5.6 million of them had been exfiltrated. This made the OPM breach one of the largest in government history.

The U.S. House of Representatives’ Committee on Oversight and Government Reform conducted a year-long investigation to identify the root cause of this massive data breach and produce recommendations that would allow OPM and other government entities to minimize their cyber risk exposure in the future.

According to the committee’s report, the OPM data breach can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of the agency’s extensive vulnerabilities, and lack of applying new security methods to secure sensitive data. Ultimately, the committee outlined the following recommendations:

• Reprioritize Federal information security efforts toward Zero Trust.

• Ensure agency CIOs are empowered, accountable, and competent.

Advertisement. Scroll to continue reading.

• Reduce use of social security numbers by Federal agencies.

• Modernize existing legacy Federal information technology assets.

• Improve Federal recruitment, training, and retention of Federal cyber security specialists.

These recommendations as well as the continued number of almost daily reports of new data breaches make it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. Instead, the committee’s report promotes the Zero Trust model as an alternative approach.

The Zero Trust model is not a new concept. It was first proposed a few years ago by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST). Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements “never trust, always verify” as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets. The Edward Snowden data leak is a good example for validating the Zero Trust model, since he was a privileged user that accessed otherwise compartmentalized network segments to exfiltrate sensitive data.

The Zero Trust model as propagated by Forrester Research is based on three main pillars:

1. Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).

2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.

3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.

These fundamentals are closely aligned with the newer NIST concept of Continuous Diagnostics and Mitigation, as it builds upon the concept of near real-time analysis of all transactions, be it on the network, application, database, or human layer. However, increasing the frequency of data collection and analysis, further exasperates the challenges associated with processing a huge volume, velocity, and complexity of data to identify imminent cyber risks.

As a result, implementing a Zero Trust model represents a dramatic change and requires a well-planned transition that should be complimented by efforts to operationalize cyber risk detection, prevention, and response. By doing so, the potential for Zero Trust to enhance enterprise security and thwart both insider and outsider cyber-attacks can be unlocked.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.