In response to a growing number of serious cyber threats and incidents, President Biden has issued an Executive Order (EO) regarding improving the nation’s cybersecurity. I don’t personally read a lot of EOs, but I read this one, and if you’re part of the cyber industry, you probably should too.
Given that you probably won’t, I’ll do some summarizing for you. There’s stuff about cooperation and standards, but I’d like to draw your attention to the EO’s requirements and perspective on Zero Trust. Here’s their definition of Zero Trust:
The term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of server.
I have to admit a certain amount of Zero Trust fatigue. As an industry, we talk about Zero Trust a lot and when I really dig into the definition, I feel like it’s not really that new or interesting. It’s really stuff we should have been doing all along - assigning minimum rights, reviewing rights, etc. On top of that, many manufacturers have spun Zero Trust to be their personal calling. End Point product? Simply say that we need to stop trusting end points. VPN? Stop trusting public Wi-Fi. And so on, just find the right thing to stop trusting.
Given that, why get excited about a new Zero Trust EO? Here’s why: For starters, an EO is going to get a lot of attention. First with government agencies, then with industries under federal audit like banking or utilities. Any company that’s selling to or servicing the government will also have to get on board. That’s a lot of companies. In fact, it’s probably a critical mass of companies when it comes to a new de facto standard.
Additionally, this definition of Zero Trust has some specific language that defines both controls and outcomes. Let me pull out a few key points to separate them from the marketing speak:
- Data Centric, least-privileged access, with controls around who, what, where, how and why.
- Containment, such that a breach of a user or device is limited to that user or device.
- Real-time monitoring of the above.
Shouldn’t be too hard, right?
Unfortunately, it is. Most companies continue to invest in identity programs and privileged access controls. Many are looking into ways to segment or micro-segment networks to control flows between computing resources. Some are trying to come to grips with rights escalation within Active Directory and finding it a very thorny problem to solve.
There’s a lifecycle to technology initiatives. They start small, often in a white paper or some academic publication. Then they get momentum and soon everyone is talking about them. At that point, the marketing people get a hold of them and start to twist them to meet the needs of whatever they are selling. After a year or two of this, they often become meaningless. The term Workspace or more recently, SASE, might be good examples. Zero Trust was heading down that road in my opinion. Mr. Biden may have just saved it.