As the U.S. Department of Defense (DoD) continues to transition and adopt zero trust cybersecurity frameworks for its IT networks and infrastructure, the Department is also urging all of its disparate agencies and organizations to follow suit. But before DoD organizations can begin moving to a zero trust architecture, they’re going to need help identifying and prioritizing their most critical assets.
To accomplish this task, they will need a trusted automation partner in STIG & CIS controls because zero trust can only be truly effective when it operates on a continually secure baseline. All of this takes a lot of time, expertise, and money, which can be offset through automation.
First, let’s get a handle on zero trust.
Zero trust grants no implicit trust to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Traditional perimeter security models build walls between trusted and untrusted sources. The firewall between your local network and the internet is an example. Zero trust models, in contrast, basically posit that bad guys are everywhere, so you should trust no network, no user, and no location when it comes to accessing your data.
A zero trust network is built upon five fundamental assertions:
- The network is always assumed to be hostile
- External and internal threats exist on the network at all times
- Network locality is not sufficient for deciding trust in a network
- Every device, user, and network flow is authenticated and authorized
- Policies must be dynamic and calculated from as many sources of data as possible
The zero trust approach builds in multiple layers of secure access to limit the breadth of any breaches that may occur. Then, with continuous auditing as required by STIGs (Security Technical Implementation Guides), you can spot bad actors before they have a chance to harm.
Now let’s understand zero trust’s partnership with STIGs.
A key aspect of zero trust involves auditing to ensure that users with allowed log-in access are doing what they are supposed to be doing when they are supposed to be doing it. Before joining the network, they require devices to join the network to have certain cyber hygiene principles in place—such as antivirus software. STIG controls help capture unauthorized access attempts and access, making 24/7 monitoring a must.
This level of auditing helps to deter inside threats, provides knowledge as to who is attempting to gain access, and identifies patterns to enable the tracking down of a malicious source.
In addition to simplifying auditing, STIGs can block hackers at many avenues of approach. For example, the STIGs for firewalls shut down nearly any port that the client does not use regularly. And Operating System STIGs restrict server access to defined users. They go even further to block access in general by privileged groups, like the domain admins. STIGs also removes guest accounts and asks that users not share logins. All these steps verify who is supposed to have access to the machines and work to keep it that way.
Assembling a trusted team to secure your data.
Combining STIG mandates for perimeter security with a zero trust model shuts down access and makes it nearly impossible for bad actors to get in. As Defense Information Systems Agency (DISA) observes, “The intent and focus of zero trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity.”
If all of this sounds complicated, it’s because it is. Luckily, STIG compliance automation solutions, such as SteelCloud’s ConfigOS, can reduce the time and effort of implementing all the controls needed for zero trust by approximately 90 percent. In addition, automating STIG compliance can simplify the hardening process at the perimeter, provide 24/7/365 reporting and remediation and help you double down on cybersecurity when using the zero trust approach.
To download a complimentary copy of the eBook, “STIGs For Dummies,” click HERE.
This article originally appeared on SteelCloud’s website, here.