Zero Trust Architecture: Never Trust, Always Verify
The National Security Agency (NSA) has recently released its comprehensive set of guidelines for zero trust network security. Entitled ‘Advancing Zero Trust Maturity Throughout the Network and Environment Pillar’, the cybersecurity information sheet provides guidance on how to strengthen internal network control and contain network intrusions to a segmented portion of the network using Zero Trust principles.
NSA Cybersecurity Director Rob Joyce says: “Organisations need to operate with a mindset that threats exist within the boundaries of their systems. “This guidance is intended to arm network owners and operators with the processes they need to vigilantly resist, detect, and respond to threats that exploit weaknesses or gaps in their enterprise architecture.”
What does the NSA framework look like?
The framework represents a significant departure from traditional security models, emphasising a "never trust, always verify" approach. The NSA's endorsement of this model is rooted in the recognition of evolving cyber threats and the imperative to safeguard national security interests in an interconnected digital landscape.
The zero trust guidelines emphasise several key recommendations:
Network Segmentation: Dividing the network into smaller, discrete segments to impede lateral movement by attackers and minimize the impact of breaches.
Robust Authentication and Authorisation: Implementing stringent access controls to ensure only verified users and authenticated devices can access critical network resources.
Continuous Monitoring and Real-time Validation: Vigilantly scrutinising all network traffic, users, and devices to swiftly identify and respond to anomalous behaviour and potential security threats.
Principle of Least Privilege: Minimising access to only what is necessary to enhance security and reduce the potential impact of breaches.
The NSA's push for zero trust adoption addresses common pain points faced by CISOs, offering strategic guidance for minimising cybersecurity risks while optimising resource allocation. By implementing network segmentation and continuous monitoring, CISOs can craft a more defensible network landscape and detect threats in real time, thereby enhancing security posture and resource efficiency.
Zero trust in vogue for decades
Shivaprakash Abburu, EY India Technology Consulting Partner, says: “Zero trust architecture (ZTA) as an architecture principle has been in vogue for almost four decades. But there is a push now to adopt ZTA, primarily because of three aspects.
“The first is the adoption of cloud in most organisations to improve and speed up their adoption of digital transformation. The second domain, which would be apart from the outside-in domain, would be the inside-in domain. We call this lateral movement, which means attacks moving inside the organisation or emanating inside and compromising an asset inside the organisation.
“The third dimension is the inside-out; originating inside the organisation and compromising an asset outside the organisation’s IT landscape.
“We are at an inflection point, which is why the ZTA principle is getting a lot of attention because the traditional measures cater only to the first threat vector or the first type of threat manifestation while ZTA helps organisations improve their defences by bringing in the perspective of the other two threat vectors as well.”
KPMG is also an advocate for a zero trust approach. In its Global Tech Report on the government and public sector industry the company says that while government organisations have not typically been as quick as other sectors to exploit new technologies, a shift is underway.
KPMG is advising this sector to adopt zero trust models for cybersecurity, emphasising continuous monitoring, third-party risk management and cloud security. In this model, no actor or system is inherently trusted, making multi factor authentication critical due to numerous touchpoints where data access can occur.
Prateek Mehra, Global Alliance Lead, Infrastructure, Government and Healthcare, KPMG International, says: “ Governments need to stay focused on updating their cyber security policies and adopt clear incident-response plans and zero trust models.
“In a zero trust model, no actor or system can be trusted in any form,” he explains. “They require continuous monitoring, third-party risk management and cloud security. And with so many touchpoints where actors can access data, multi factor authentication becomes critical.”
50% of zero trust programmes risk failure
Despite the growing embrace of zero trust, challenges persist. A survey conducted by PlainID reveals a stark reality: while CISOs are integrating zero trust frameworks, authorisation remains a critical gap. Only half of respondents cite authorisation as a core component of their zero trust programmes, signalling a disconnect between intent and execution.
This gap is exacerbated by resource constraints and technical complexities. Many organisations resort to homegrown solutions, potentially compromising security posture and increasing operational costs over time. With cyber adversaries evolving continuously, maintaining a robust cybersecurity strategy is imperative. Without adequate technical expertise and comprehensive authorisation frameworks, organisations risk betraying the trust of partners and customers in the event of a breach.
The convergence of identity and access management with traditional security further highlights the need for advanced technical capabilities. Oren Ohayon Harel, CEO and co-founder of PlainID says: “Zero trust must treat all identities as potential threats. While zero trust boosts higher levels of confidence, it's imperative to pair it with a comprehensive authorisation framework.
“Enterprises today need continuous evaluation and validation across all tech stack interaction to mitigate data breach impacts.”
Ultimately, the zero trust approach represents a fundamental shift in cybersecurity ideology. By treating all identities as potential threats and prioritising comprehensive authorization frameworks, organisations can bolster their security posture amidst an increasingly hostile digital landscape. As cyberattacks escalate in frequency and complexity, the imperative for robust cybersecurity strategies has never been more pronounced. Embracing zero trust is not merely an option; it's a necessity in safeguarding our digital future.
Cybersecurity Director at National Security Agency
Cybersecurity
US
With over three decades of unparalleled experience leading large organisations in cybersecurity, cyber operations and intelligence, Rob is currently the Director of the Cybersecurity Directorate at NSA. Here he spearheads the organisation responsible for defending the US’ most critical information systems against sophisticated global threats.
Global Alliance Director for Infrastructure, Government, and Healthcare at KPMG
Govt
US
Prateek is responsible for driving the growth agenda for KPMG’s Government sector through strategic alliances with alliances including Microsoft, IBM, SAS and ServiceNow. Helping member firms deliver transformation digital solutions to federal, state, and local governments in public sector markets globally.
**************
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
**************
Cyber Magazine is a BizClik brand