Why you should embrace zero trust architecture

Gettyimages.com/ Andriy Onufriyenko

Waylon Krush By Waylon Krush,
Chief Technologist for Cybersecurity, Motorola Solutions

By Waylon Krush

|

As the market moves forward and the Cybersecurity Executive Order takes hold, there will be no avoiding zero trust architecture. Here's how you should shift your focus.

In a world of increasing cybersecurity risk, there’s a lot of buzz in the federal IT industry about zero trust architecture. Many are wondering what it is, what it means to their organization and what actions it defines.

In the simplest terms, ‘zero trust’ is a set of consolidated standards and guidelines that support the development of a no trust or low trust secure architecture that can adapt to changes in data rights and even risk. Coined by Forrester Research analyst and thought-leader John Kidervag, ‘zero trust’ is based on the principle that nothing can be trusted. Under this philosophy or paradigm, no device, user or application is considered to be secure.

The term zero trust architecture is currently used mostly in government (it has references in U.S. Department of Defense [DoD] ZTA and National Institute of Standards and Technology [NIST] SP 800-207), but the architecture is being supported and refined across many high-risk and high-compliance industries, such as banking and healthcare. It also incorporates security and privacy standards from across industries and technologies. Like the NIST SP 800-53, zero trust architecture provides a centralized set of requirements to set your security and privacy targets for your architecture.

The architectural components of zero trust include the:

  • Policy engine, which provides the final decision in granting access to a resource.
  • Policy administrator, which establishes access to a resource.
  • Policy enforcement point, which serves as a system gateway for activating, monitoring and terminating connections between authorized users and their accessed resources.

THE EVOLUTION TO ZTA

Some of this may sound familiar to you. Zero trust architecture reminds me of a modern day version of defense-in-depth. Defense-in-depth was conceived by the National Security Agency and is a concept used in information security, in which multiple layers of security controls (defense) are placed throughout an IT system. The intent of the defense-in-depth security approach is that a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity and availability of the network and the data. 

One of the major differences between NIST SP 800-53 and zero trust architecture is that ZTA focuses on users, assets, and resources, and, more specifically, is more data centric. Defense-in-depth sets up multiple network domains, tries to limit the attack surface across assets and focuses on ports, protocols and services. Zero trust architecture goes a step further and focuses on no trust and places more emphasis on data protection. It brings the policy engine, the policy administrator, and the policy enforcement point into a more centralized and manageable architecture. Since ZTA is an architecture, it also supports consolidating existing standards and adopting many new standards that combine traditional security tenets of least privilege, which only grants sufficient permissions to accomplish specific actions, and defense-in-depth. Defense-in-depth takes it a step further by inserting layers and gates of security at all relevant control points in a use case. Zero trust architecture includes both.

To meet this standard of security, one must design a simpler and more secure architecture without impeding operations or compromising security. The classic defense-in-depth cybersecurity strategy has limited value against well-resourced adversaries and is an ineffective approach to address insider threats.

DETERMINING THE RIGHT APPROACH FOR YOU

So, given the background of what zero trust architecture is and how it has evolved from earlier security standards, what does it mean today for federal contractors?

If you’re an organization that is working with the DoD, this level of security is not a nice-to-have, but a must-have. Anyone supporting DoD or civilian federal agencies will have to address the requirements that are starting to consistently arise from federal customers. As an example, statements of work from the DoD are starting to include a section on zero trust architecture. Per the Cybersecurity Executive Order, we will also start seeing the requirements show up in federal civilian agencies, followed by state and local agencies, especially where it appears in contract flow downs. 

Knowing this is the direction the industry is heading, your organization should conduct a gap analysis and then move to setting up a zero trust level of security. What you ultimately determine for your organization needs to make business sense and security sense. As we all know too well, these cyber and privacy requirements need to be integrated early on in development, as none of the changes can be done overnight. ZTA is a marathon, not a sprint. 

One of the key questions at the beginning of any gap analysis is whether you will be supporting customers that need zero trust architecture, or even more importantly, require it. Ask yourself whether adopting this architecture will provide the additional cyber and privacy controls needed to provide a more resilient system and protect our most critical data. Decide if you are going to build or buy, though you are probably going to do a little of both, as out-of-the-box zero trust architecture is not likely to meet all of your long term technology, organization and process needs. Many security and privacy standards are still being updated and will be refined as new threats evolve or even older ones find vulnerabilities in ZTA.

If you decide to build these solutions in-house or even outsource to a consulting firm, make sure you have the right resources; resources that understand architectural needs, have the coding capabilities and also are familiar with the compliance requirements. Identify a project owner who understands cyber and privacy and can bring different organizations together to support the architecture. 

YOUR STEPS TO ZTA

Once you determine if you are building or buying:

  • Define your ‘protect surface’ or boundary that needs to be included in the ZTA
  • Map your data, network and transaction flows
  • Define your target ZTA architecture 
  • Create a zero trust policy for your organization - ensure you define how the different components work and provide details
  • Identify and document the gaps
  • Implement the gaps into your roadmap with timelines and resources
  • Monitor and maintain a zero trust environment 

CONCLUSION

Zero trust architecture is not something that can be achieved overnight. It’s going to be a marathon for you and your organization. Since it is not going away, now is a great time to begin training. It will be part of doing business in 2022 and beyond.


Waylon Krush is currently a Chief Technologist (Cyber) for Motorola Solutions. He may be reached at Waylon.Krush@motorolasolutions.com.

NEXT STORY: What you are leaving on the LinkedIn table

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.