By releasing last May’s “Executive Order on Improving the Nation’s Cybersecurity,” which asked all federal agencies to put a plan on paper to embrace a zero trust approach to cybersecurity, the Biden Administration effectively illustrated that zero trust is no longer a buzzword, but rather a foundational element of modern government IT cybersecurity. And not a second too soon.
With hybrid work changing the nature of networks and inflating the number of endpoints accessing government systems and data, and a seemingly endless number of cyberattacks on government agencies, the push for “mature zero trust” is both understandable and essential. But what does that mean for organizations and agencies looking to embrace it?
To help unpack how zero trust has evolved over the last few years, GovCyberHub reached out to Andrew Green, Senior Sales Engineer at NETSCOUT. Green’s experience in the industry provides him with the insight to properly explain just how important the zero trust model has become, and how agencies can best empower it using network visibility.
GovCybersecurityHub (GCH): Zero trust has gained a lot of mainstream approval lately from the highest level of government, why has it become so important lately? Has there been a fundamental change in the approach? Are people just recognizing its utility?
Andrew Green: Zero trust is absolutely becoming more important, and that is largely because of its effectiveness. It’s a shift in the way of thinking about security from what was the existing paradigm of a strong perimeter defense with a soft, squishy middle, to something much more resilient to intrusion at all points in the network.
That former system has been the security architecture for services-based companies, enterprises, as well as governments for a long time, and for good reason. All these organizations utilized firewalls to put up a perimeter and block all outside things from coming into the network. This is still common, and it basically still exists everywhere since it provides an effective first layer of security.
“You cannot rely on old designs and solutions. This is where zero trust comes into play. It is a rethinking of how we approach security that is not tied down to a monolithic design.” – Andrew Green
But the problem has been that over the years, attackers have developed more ingenious ways of getting around that strong perimeter. It’s still important to have a perimeter, but the reality is that it can’t be relied on as the only or the highest or most significant means of protecting the environment.
And so, the idea sort of comes from this notion that you can’t just keep building perimeter firewalls across the network. You can’t build security stacks that do all these enforcement and monitoring tools that you would normally have at the edge, you can’t roll that across your entire existing infrastructure. So that leads us to the important part of the question, how does an organization establish a stronger security posture today?
The short answer is that you cannot rely on old designs and solutions. This is where zero trust comes into play. It is a rethinking of how we approach security that is not tied down to a monolithic design. Instead of one strong perimeter with a weak center, we have a series of microperimeters, we break services down and group them in a very granular way to better track and understand who is where in the network and what they are requesting from it.
“Zero trust is becoming more important because it solves a lot of problems that we’re facing and because it has a pretty good track record of keeping the bad guys out.” – Andrew Green
A zero trust model can look a lot of different ways in this system. It can be forced encryption in areas that we know are going to be used for secure data storage. It could look like using authentication methods for enforcing proper users and user access codes through the system. We’d still do network-based filtering, but we would do it at a more granular level between single hosts or small groups of hosts.
All this is to say, zero trust is about taking the tech that we already have and implementing it in a way to improve the overall security posture and to diminish the over-reliance on the older one-perimeter paradigm. Instead, we bring in a system that emphasizes the individual strength of each security component. Zero trust is becoming more important because it solves a lot of problems that we’re facing and because it has a pretty good track record of keeping the bad guys out.
GCH: What is the driving force behind the public and private sectors embracing zero trust? Is it tied to recent cyberattacks? Hybrid work?
Andrew Green: Well, it’s a bit of both, but the driving force is that transition to hybrid work and us all gaining a better idea of what security looks like for it. When we think about a hybrid workforce, we must ask how work was done before the pandemic. What did the office look like? How did it function relative to everyone’s jobs? Were there any existing remote jobs? As organizations approached their transition, they’ve learned it’s doable, but security looks way different from what they had in the past.
“As more services need to be available on more easily compromised networks, zero trust becomes that much more important.” – Andrew Green
This is where I would say the largest challenge comes from when trying to secure a hybrid workplace. In the old system, remote hardware would just access a VPN or something similar, and once through that single perimeter, they were treated as being just as present as an in-person computer. What that means is that users can connect to a network from an untrusted and potentially compromised device. This means two things, first cyberattacks can attempt intrusions from a wider array of devices, and second, you cannot effectively enforce a perimeter in this system.
This realization is what has driven the idea of zero trust recently. You want to have stronger user-based enforcement, maybe dual-factor authentication, things like that, to really make a meaningful cybersecurity plan. So as more services need to be available on more easily compromised networks, zero trust becomes that much more important. It is the most effective and readily available mechanism we have today for facilitating a secure hybrid work environment.
“Zero trust removes a lot of risk in many scenarios, but it relies on network visibility to do it.” – Andrew Green
One more thing I want to add about hybrid work is the importance of network visibility. Rather, the potential issues when an organization doesn’t prioritize visibility. Remote desktops open secure networks to the homes of the employees which could be a mix of IoT devices. Computers, smart TVs, you name it, right? Any one of those devices could potentially be compromised through something like an email your kid opens on accident. Without knowing what devices are where and how they interact with the network, cybersecurity becomes just that much harder to implement. Zero trust removes a lot of risk in that scenario, but it relies on network visibility to do it.
GCH: For agencies and organizations that hear all this, and say, “Okay, I am ready to get serious about zero trust,” what does that process look like for them? More specifically, is it possible to integrate zero trust into an existing system? Or is it a ground-up start from scratch?
Andrew Green: Zero trust is a philosophical rethinking of how cybersecurity works and how to handle the security environment. In a sense, the answer depends on how detailed your current cybersecurity paradigm is when you start.
“In many cases, zero trust can be identified and designed to, at least partially, work on existing infrastructures, but again, it’s a shift in philosophy.” – Andrew Green
Most good quality cybersecurity paradigms have the initial mapping of the network done, they’ve audited all the services and systems on the network and understand what’s where and how it all interacts with normal business function. The next step is to do that for everything in the system. Called the discovery phase, this is when you really must take a long, detailed, and meaningful look at what’s going on in your network. This is that visibility that I referred to earlier.
A proper zero trust model has a visibility component which underscores its foundational importance to the approach. In other words, it’s your eyes, it’s the thing you will use to identify breaches or to identify users. It’s the most important part of detection of any kind and is crucial to effectively implement zero trust.
So, to answer the question, it’s hard to say for sure. Ideally, organizations build zero trust on top of the infrastructure that they already have as much as you can and then you migrate services that aren’t compatible with zero trust to some sort of additional tooling to make it all work. In many cases, zero trust can be identified and designed to, at least partially, work on existing infrastructures, but again, as I said in the beginning, it’s a shift in philosophy. That might be the hard part that a lot of organizations are struggling with embracing as they look to make that transition. The good news is that there are security partners like NETSCOUT who understand how to approach the process, and that can make everything that much easier.