Implementing A Zero Trust Mindset
govciooutlookapac
Home » Civic Engagement » CXO Insights

Implementing A Zero Trust Mindset

Gerald Caron, Chief Information Officer (CIO), U.S. Department of Health and Human Services

Gerald Caron, Chief Information Officer (CIO), U.S. Department of Health and Human Services

Times are changing, and we no longer rely on the “traditional way” of doing things, especially in technology. When was the last time you saved important numbers in a phone book or stored documents in physical folders? We bet it has all transitioned over to your mobile phone or another type of cloud storage. We now rely heavily on the cloud to keep our data secure. However, this time, the traditional desktop is no longer the only powerhouse of the network. Phones, tablets, thin/zero clients, and laptops are the new kids on the block, augmented by desktops. They are keeping data accessible while creating new pathways that make it vulnerable.

Yesteryear, a secured perimeter was the chosen method. I like to refer to it as the ‘Tootsie Pop’ security method; it is hard on the outside but gooey in the middle. We basically trusted everyone that was within the perimeter, or at least that is how our legacy networks were built; this can also be referred to as the ‘Castle and Moat’ approach. Network protection has always been important, but as time has changed, so has our protection method. Access to all information within the perimeter has become just as detrimental as all outside threats. Some of the largest security exploits have been within the boundaries of organizations’ networks. Thus, why ‘Zero Trust’ has come to the forefront of the way many are now shifting their focus in cybersecurity? One example to compare the traditional security model and Zero Trust is to think of a multiplex movie theater. The theater shows different movies (think of these as data) in different formats: regular, Imax, etc. In the traditional model, you visit a theaterand buy a ticket so that you may enter the lobby. You now have full access to the theater, such as restrooms and concessions. You can basically walk into any of the theaters. Why? There are no ushers to enforce who can go in or out at each theater entry. Therefore, one couldwatch multiple movies while only paying one fee. Once in the theater, there is still no checkpoint as to what movie guests are attending, nor if they are in the right spot for that movie. Once at the front door, guests are authenticated to get into the theater because they bought a ticket, allowing access to multiple data sources (movies) without any additional review. Again, think of the movie itself as the data.

Now, in a Zero Trust environment, you still buy a movie ticket and scan it at the door. As a result, you still have access to the general areas. However, when you go to various theater rooms, someone will check your ticket again to ensure you are allowed into that specific room. But that is not where it stops; once guests are granted access, an usher comes and verifies that everyone is allowed in by doing a thorough review. Such as, are the lights at the proper level, whether exit signs are lit, whether the projector is working, whether everyone is in the correct seats, and so on. All these factors together now calculate a confidence or risk level. If these factors are all at an adequate level, everyone can continue watching the movie without issue. If there are risks, the theater will prompt an action (trigger a policy) to ensure guests are safe and movies are not compromised in the process.

“Some of the largest security exploits have been within the boundaries of organizations’ networks”

There are many checks, balances, and risk factors to consider in a Zero Trust implemented environment. Now if you think of the above scenarios, traditional vs. Zero Trust, picture this as your network’s environment and a malicious actor. A malicious actor would have a much easier time gaining persistence and moving throughout the network (or, in this case, the theater) while gaining access to multiple data sources than in the Zero Trust scenario.

Reducing risks with Zero Trust

Having access to a network with wireless options provides new functionality that was not available prior to the Covid-19 pandemic. Unfortunately, this new functionality comes at a cost.

Zero trust is the strategy every organization should implement. With zero trust’s ability to impact and adapt to changes in technology, its method considers how users interact with their data and secure it to allow the right data to the right people at the right time. It protects what matters most: the identities and the data. When we talk about identities, don’t just think of them as humans, it can be other systems or IoT (Internet of Things) devices.

When thinking of Zero Trust, I always refer to these principles:

- Trust No One

- Know your people and your devices

- Validate identity at every step

- Design systems assuming they are all compromised

- Distrust everything, so when a breach happens, you are as protected as you can be

- Use Dynamic Access Controls

- Access to services must be authenticated, authorized, and encrypted at all times and can be revoked during a session

-Constantly evaluate risk

- Include context in risk decision

- Monitor and log in to every location possible

- Aggregate log, system, and user data

- Right size protections

- Invest in defenses based on the classification of data

- Spend more money defending the systems at greater risk

- The Zero Trust model identifies all communications as untrustworthy and recognizes that the system can be breached at any time. Its foundation is built on enforcing the need for:

- Strong identities

- Authentication

-Trusted endpoints

- Network segmentation

- Accessed controls

- Data Segmentation

- User and system attribution to protect and regulate access to sensitive data and systems

- And most important, understanding the data for which you are trying to secure

To be 100% secure against all attacks is unrealistic, but the Zero Trust mindset implies that the network’s security should be analyzed internally and externally.

With most organizations being supported by remote work, there are now different risks. The transfer of information can be compromised if the right steps are not enforced. An organization can customize its security risk with gateways, allowing or revoking access based on individuals’ work requirements. Step-up challenges verify an already-in-place two-factor authentication when support has been breached. Innovative access and authentication policies immediately suggest additional verification.

We have only scratched the surface of Zero Trust in this article, and there are certainly different nuisances and thoughts on the subject. They are not all wrong, but the more we collaborate and share our thoughts, the better we move toward effective cybersecurity implementations. Good luck on your journey!

tag

review

Storage

IoT

Weekly Brief

ON THE DECK

Read Also

Creating Resilient Security Ecosystems for Smart Cities
Christopher Harper, Security Manager, City of Reno

Crafting A Secure And Inclusive Digital Future
Tom Kureczka, Chief Information Officer, City of Winston-Salem

When Technology Meets Human-Centered Leadership
Kevin Wilkins, Chief Information Officer, City Of Fort Collins

Finding a Path to Practical and Successful Data Governance
Bojan Duric, Chief Data Officer, City of Virginia Beach

Who We Are and What We Do
Nicholas Thorpe, Director of Emergency Management, Franklin County

Embracing Technology in the Government Sector
Kevin Gilbertson, Chief Information Officer, State of Montana