Zero Trust is the new silver bullet in cybersecurity. Well, not really, but many people are treating it that way. However, it is an important positive and everyone should be looking into how they can implement it in their organization.
The DoD is about to open an office dedicated to implementing zero trust. It will have its own senior level executive and will get help from DoD’s CIO, Kelly Fletcher.
Whether this in direct response to SolarWinds or not, it is certainly the right time.
For DoD, and likely you, they plan to review and prioritize their systems and networks and create a plan to get all of them into a zero trust world. In the case of DoD, that means over the next 5-7 years. That is an insanely long time, even for an organization like DoD, but hopefully all sensitive systems will get priority and will be done much sooner than that.
Zero trust means don’t assume trust, always verify; even from a device that was verified some time in the past. It also means implementing least privilege and definitely removing admin permissions. If someone needs admin permissions, you should provision that in real time, just for as long as that permission is needed. That might mean just for a minute or two.
DoD is likely to actually move forward on this sooner than the other executive branch agencies since they have already started.
The recent Cyber EO requires that agencies prioritize the adoption of zero trust. Whether this would have stopped SolarWinds or not – I think not – it should dramatically slow don’t the hackers movement inside the network once they got in.
The Cyber EO is not magic. The government has underfunded IT and information security for decades and you cannot fix that overnight.
For many private sector companies, the same is true. Underfunded and cannot be instantly fixed.
But, if you don’t start, you will never get there.
Now is a good time to start. Credit: Data Breach Today