From castles to cities with Zero Trust
From Castles to Cities with Zero Trust
Once an opaque term used only in niche cybersecurity circles, “Zero Trust” is now the centerpiece of a sweeping Executive Order (EO) signed by President Biden in May 2021. With that action, Zero Trust has transformed from a trendy buzzword to a core part of an upcoming federal mandate. Yet while the term may have entered our common lexicon, it’s still not entirely clear what exactly Zero Trust really means.
Castles and Cities
Let’s start with what Zero Trust isn’t. Zero Trust is not a technology. It’s neither hardware nor software nor even a network or digital ecosystem. Zero Trust is a concept, a mindset that challenges traditional cybersecurity thinking. If you’ve made it this far, you may be wondering why we’re referring to castles, moats, and…cities? We’ll explain.
Traditional cybersecurity practices focus on a “castle and moat” model, where security protocols concentrate on keeping threats out. Most importantly, the castle and moat approach assumes that any user with the right credentials to access a network has done so legitimately and can be trusted to move freely through the system. As the trend towards the cloud picks up speed, the concept of a security perimeter as we know it is becoming obsolete.
Zero Trust makes a different assumption, that networks are either actively under attack or already breached. After all, recent cyberattacks have made it clear that internal threats are more pervasive than external attacks and almost always more damaging. Suppose the traditional cybersecurity model sees networks like castles to be isolated and protected from outside danger. In that case, Zero Trust sees networks as cities where communication with external applications and networks is constant, and users need to move freely without sacrificing usability or security.
If we continue with the “city” analogy, Zero Trust architecture can be thought of as a type of internal police force or traffic enforcement agency. Zero Trust represents many different validation points, barriers around sensitive content, and strict controls even on verified users. An individual user may be a citizen in good standing in her virtual city with valid credentials. However, according to Zero Trust, that still doesn’t give her free reign around the city or allow her to access any information she wants. Zero Trust limits the actions and access even credentialed "citizens" can have by segmenting off only the streets and pathways through the city needed for access and by implementing controls such as multi-factor authentication, specific permissions levels, and greater levels of encryption.
Implementing Zero Trust Architecture
Every organization is different, with specialized needs and priorities. As a leading provider of cybersecurity to the Federal Government, Leidos is uniquely equipped to help customers plan and navigate the roadmap to Zero Trust. With that said, there are some basic guidelines agencies should have in mind when beginning their path towards Zero Trust. In fact, the Biden cybersecurity EO does not dictate a standard approach (other than the instruction to follow NIST guidance) to Zero Trust but asks agencies to work with the rest of the federal government to understand their best path forward.
In an upcoming post, we’ll get into the details around migrating to a Zero Trust framework and go in-depth on our recommended four-phased approach to Zero Trust Readiness. Here’s a quick preview:
Phase 1: Assess
Assess data/mission criticality, system complexity, attack surfaces, and risk.
Phase 2: Discover
Identify and inventory all actors, assets, processes, organizational structures, and executive buy-in.
Phase 3: Plan
Create a prioritized plan to incrementally introduce new capabilities.
Phase 4: Execute
Implement new capabilities and work into true Zero Trust security structure.
Finally, in large networks, implementing AI/ML capabilities can be critical in building adaptive access control system that continuously calculate risks. Zero Trust with AI/ML can also orchestrate and automate security responses to detect and mitigate attacks at machine speed.
In most of today’s cybersecurity models, systems look for known patterns of attach or data signatures known to be associated with malware. As the threat ecosystem evolves, machine learning allows us to learn continuously and dynamically to detect new types of malicious activity as they evolve.
Zero Trust by the Numbers
- 80% of data breaches involve compromised privileged credentials (Forrester)
- In 2020 alone, there were over 1,000 known data breaches in the United States, affecting over 150 million individuals (Statista)
- 72% of organizations planned to implement Zero Trust in 2020 (IntelligentCISO)
- By 2022, 80% of new business applications 2020 opened up to ecosystem partners will be accessed through zero-trust network access (Gartner)
- By 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of Zero Trust Network Access (Gartner)
- 40% of cyber breaches actually originate with authorized users accessing unauthorized systems (IDC)
- By 2025, more than 85% of successful attacks against modern enterprise user endpoints will exploit configuration and user errors rather than make use of advanced malware (Gartner)
Leidos is a leader in researching, advising, and implementing Zero Trust architecture for both the private sector and government customers. Our consultative approach makes each project unique with one priority in mind—your security.
