Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Zero Trust or Bust?

Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition

Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition

The use of a Zero Trust model to minimize cyber risk exposure has returned to the spotlight after a report by the U.S. House of Representatives’ Committee on Oversight and Government Reform detailed the events leading up to the sweeping hack of the U.S. Office of Personnel Management (OPM). One of the report’s recommendations was for Federal information security efforts to move toward a Zero Trust model, in which users inside a network are treated as no more trustworthy than users outside a network. However, is this alternative approach really an effective measure to minimize cyber risk or does it just create new challenges?

In June 2015, the OPM, which is responsible for checking the backgrounds of a large majority of Federal government job applicants and contactors, revealed that 4.2 million personnel records of former and current Federal employees had been compromised. A month later, the true scope of the data breach came into focus when the agency reported that background investigation data for 21.5 million individuals as well as the fingerprint data for 5.6 million of them had been exfiltrated. This made the OPM breach one of the largest in government history.

The U.S. House of Representatives’ Committee on Oversight and Government Reform conducted a year-long investigation to identify the root cause of this massive data breach and produce recommendations that would allow OPM and other government entities to minimize their cyber risk exposure in the future.

According to the committee’s report, the OPM data breach can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of the agency’s extensive vulnerabilities, and lack of applying new security methods to secure sensitive data. Ultimately, the committee outlined the following recommendations:

• Reprioritize Federal information security efforts toward Zero Trust.

• Ensure agency CIOs are empowered, accountable, and competent.

• Reduce use of social security numbers by Federal agencies.

Advertisement. Scroll to continue reading.

• Modernize existing legacy Federal information technology assets.

• Improve Federal recruitment, training, and retention of Federal cyber security specialists.

These recommendations as well as the continued number of almost daily reports of new data breaches make it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. Instead, the committee’s report promotes the Zero Trust model as an alternative approach.

The Zero Trust model is not a new concept. It was first proposed a few years ago by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST). Instead of using the traditional approach of “trust, but verify”, the Zero Trust model implements “never trust, always verify” as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets. The Edward Snowden data leak is a good example for validating the Zero Trust model, since he was a privileged user that accessed otherwise compartmentalized network segments to exfiltrate sensitive data.

The Zero Trust model as propagated by Forrester Research is based on three main pillars:

1. Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).

2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.

3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.

These fundamentals are closely aligned with the newer NIST concept of Continuous Diagnostics and Mitigation, as it builds upon the concept of near real-time analysis of all transactions, be it on the network, application, database, or human layer. However, increasing the frequency of data collection and analysis, further exasperates the challenges associated with processing a huge volume, velocity, and complexity of data to identify imminent cyber risks.

As a result, implementing a Zero Trust model represents a dramatic change and requires a well-planned transition that should be complimented by efforts to operationalize cyber risk detection, prevention, and response. By doing so, the potential for Zero Trust to enhance enterprise security and thwart both insider and outsider cyber-attacks can be unlocked.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.