Tag Archives: Zero trust

Implementing Zero Trust-Hopefully You Will Beat DoD’s Pace

Zero Trust is the new silver bullet in cybersecurity. Well, not really, but many people are treating it that way. However, it is an important positive and everyone should be looking into how they can implement it in their organization.

The DoD is about to open an office dedicated to implementing zero trust. It will have its own senior level executive and will get help from DoD’s CIO, Kelly Fletcher.

Whether this in direct response to SolarWinds or not, it is certainly the right time.

For DoD, and likely you, they plan to review and prioritize their systems and networks and create a plan to get all of them into a zero trust world. In the case of DoD, that means over the next 5-7 years. That is an insanely long time, even for an organization like DoD, but hopefully all sensitive systems will get priority and will be done much sooner than that.

Zero trust means don’t assume trust, always verify; even from a device that was verified some time in the past. It also means implementing least privilege and definitely removing admin permissions. If someone needs admin permissions, you should provision that in real time, just for as long as that permission is needed. That might mean just for a minute or two.

DoD is likely to actually move forward on this sooner than the other executive branch agencies since they have already started.

The recent Cyber EO requires that agencies prioritize the adoption of zero trust. Whether this would have stopped SolarWinds or not – I think not – it should dramatically slow don’t the hackers movement inside the network once they got in.

The Cyber EO is not magic. The government has underfunded IT and information security for decades and you cannot fix that overnight.

For many private sector companies, the same is true. Underfunded and cannot be instantly fixed.

But, if you don’t start, you will never get there.

Now is a good time to start. Credit: Data Breach Today

What the Heck is ‘Zero Trust’ Anyway?

If you read the security news or talk to security vendors, the buzz word of the year is ZERO TRUST. Many vendors tell you that they have the zero trust answer. The reality is a lot more complex.

Zero trust is not a product or even a family of products. It is not a platform. It is really a strategy built are one concept: “never trust, always verify:.

Vendors and their products are certainly a component of zero trust, but not a silver bullet.

Still, zero trust is a good idea and you should begin to understand it of you do not already.

One challenge with the traditional security strategy of “moat and drawbridge” is that the strategy worked reasonably well when you knew where the castle was. But today, there is no castle as people are everywhere and so are servers and services. Zero trust is designed to be flexible.

Zero trust is a journey. It requires education and research and even I can’t explain it in a blog post. Here are some things to consider in the zero trust journey.

  • Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 
  • Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 
  • Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Here is a tutorial on zero trust.

Credit: Forrester