Zero Trust is being counted on more than ever for cybersecurity and now the NSA has issued Zero Trust guidance for Department of Defense (“DOD”) to protect their critical networks and data. However, it is not only for highly secretive environments like NSA and DOD, but also a great idea for any organization in both private and public sector with cybersecurity concerns as Zero Trust can be transformative for their security posture and more than meet any due-care or fiduciary responsibilities.
The reasons why are numerous, but you better believe that the recent Solar Winds hack played a bit part on the timing of this recent guidance.
Here is an excerpt from their guidance document you can find here:
The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
Systems that are designed using Zero Trust principals should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way. NSA continues to monitor the technologies that can contribute to a Zero Trust solution and will provide additional guidance as warranted.
To be fully effective to minimize risk and enable robust and timely responses, Zero Trust principles and concepts must permeate most aspects of the network and its operations ecosystem. Organizations, from chief executive to engineer and operator, must understand and commit to the Zero Trust mindset before embarking on a Zero Trust path.
Zero Trust is very manageable and doesn’t need to be invasive, intimidating or over the top effort-wise. Simply implement the areas of Zero Trust that makes sense and see how it provides that extra layer or two of security that your environment needs. .
Utilizing the Zero Trust framework, along with an actionable and tested incident response plan will dramatically improve your organization’s security posture and response.