In a year full of high-profile cyberattacks, it should come as no surprise that the zero trust cybersecurity approach has become the standard across both the private and public sectors.
The recent cybersecurity-focused executive order from the Biden Administration expressly advocates for embracing the zero trust model in the government saying, “the federal government must adopt security best practices and advance toward a Zero Trust Architecture.”
The executive order directs the heads of all government agencies to begin putting a plan on paper to move towards the zero trust model, setting the stage for the adoption of zero trust across the government. But what exactly is zero trust? Why is it necessary? And what steps can agencies take to help them embrace this new cybersecurity model?
Jason Keenaghan, a Strategy Leader for Zero Trust at IBM, recently spoke with the GovCyberHub to answer these and other zero trust questions. Keenaghan, who specializes in IBM Security, talked through what zero trust cybersecurity means to IBM and shared his advice for agencies that are just starting on their zero trust journey.
GovCyberHub: What role does zero trust play in modern cybersecurity? Why has it become the new standard?
Jason Keenaghan: Zero trust cybersecurity is an ideal architecture for securing modern business. The rapid adoption of the cloud has given rise to the hybrid business. Not only are your people logging in from different devices and multiple locations, but your data also lives everywhere and must be shared with applications hosted in different environments. Securing this hybrid business requires a granular approach – one that validates the access needs of users, devices, and applications.
“The advantage of zero trust is that – done well – it provides a much more comprehensive approach to cybersecurity.” – Jason Keenaghan
A zero trust approach offers a framework for security that insulates your most important data by assuming breaches and enforcing validation of every connection into – and throughout – the organization.
GovCyberHub: What are the pros and cons of zero trust? What should users know if they are concerned about a potential trade-off between security and efficiency?
Jason Keenaghan: The advantage of zero trust is that – done well – it provides a much more comprehensive approach to cybersecurity. Combining security information offers much more visibility into threats and their impact, as well as the context to make better decisions. This actually makes security more effective and efficient.
The challenge with zero trust is simply the complexity of such a broad strategy. It requires collaboration between different security teams within the business. This is not something many companies are doing.
Most organizations are still operating in a siloed approach to security. Identity teams handle identity issues. Data teams focus on data security. Your SOC is focused on threat investigation and incident response. Every team has their own priorities, budget, and approach.
GovCyberHub: Is zero trust cybersecurity here to stay? What should business leaders know before deciding to update?
Jason Keenaghan: Yes, I believe so. While the ‘buzzy’ term zero trust may eventually go away, the concept is absolutely the right approach for cybersecurity.
“With users logging in from home, there are a number of challenges that make zero trust the best approach to security.” – Jason Keenaghan
Business leaders are actively evaluating this concept now. But they have to answer multiple, important “how” questions. How do we start implementing this most effectively? How can we put zero trust in place in a way that benefits our organization the most?
GovCyberHub: With the ongoing remote work shift, are there any specific challenges facing businesses that zero trust can help alleviate?
Jason Keenaghan: The move to remote, or even hybrid, is a key use case for zero trust. With users logging in from home, there are a number of challenges that make zero trust the best approach to security. Not only do you have different devices logging in from multiple networks, but you also have a set of users that have ‘let their guard down’ and may not always operate with a security mindset. They might click into websites they shouldn’t or bypass security controls they wouldn’t if they were in the office.
“Organizations – whether business or government agencies – can look at what their most important business goals are and prioritize implementing a zero trust approach specific to that goal. This makes it easier for security teams to tackle a big change like zero trust.” – Jason Keenaghan
In this case, zero trust validates the user’s security posture at every step. Are they logging in from a device that is up to date? Is the device compromised? Does the user need to access certain data on that device? Is the network they are using to access corporate resources correctly?
GovCyberHub: How disruptive is adopting zero trust? Will businesses, organizations, or government agencies must fundamentally change how they operate their cybersecurity?
Jason Keenaghan: Zero trust can be disruptive, as it’s a change in the way security teams operate. As I said above, many security teams still operate in silos, with different priorities and budgets. A zero trust approach requires these teams to share data between themselves to get a more comprehensive view of security.
That said, it doesn’t have to be overwhelming. Organizations – whether business or government agencies – can look at what their most important business goals are and prioritize implementing a zero trust approach specific to that goal. This makes it easier for security teams to tackle a big change like zero trust. They can show value and metrics based on how they’ve implemented a significant security strategy in a way the organization understands.
GovCyberHub: With several high-profile cyberattacks recently disrupting supply chains through the country, what can zero trust cybersecurity do to help prevent and mitigate future disruptions?
Jason Keenaghan: A zero trust approach helps to minimize damage in the event of a cyberattack. If you’ve segmented your network and validated users, devices, and application access to data, you’ve insulated what’s most important.
In the event of a supply chain attack, you can take a targeted approach to shutting down problem areas, stopping attacks from spreading – while still keeping the rest of the supply chain operating.
GovCyberHub: How can IBM services and technologies help government agencies make the shift towards a zero trust architecture?
Jason Keenaghan: As organizations look to implement a zero trust cybersecurity approach, IBM can help with a combination of expertise and a suite of product, service, and partner offerings. Our approach doesn’t require organizations to adopt only IBM products and offerings. Rather, we can ‘meet you where you are’ providing advice and counsel based on the capabilities you’ve already implemented and the goals you want to achieve.
Our Zero Trust Framing and Discovery Workshop pull together the security and business leaders across your organization to share the capabilities in place and desired outcomes. From there, we work with your combined team to create a security strategy – based on zero trust – specifically tailored to your organization’s priorities.
“Zero trust cybersecurity is an ideal architecture for securing modern business.” – Jason Keenaghan
Our approach to zero trust centers around four business initiatives that we see most often from customers and partners. The first is protecting the hybrid cloud, which has become far more widely used in the ongoing digital transformation. This transition also requires the second initiative, securing the remote and hybrid workforce. With more employees working remotely and clients accessing programs remotely, there is an increased need to preserve customer privacy, which is the third initiative. Finally, the fourth initiative is to reduce the risk of insider threats, something which zero trust is uniquely qualified to do.
With each of these initiatives, there are a set of core capabilities that are necessary to make zero trust a reality.