September 28, 2021
Executive Director, Cyber Policy and Operations, U.S. Chamber of Commerce
Recently, the modernization of cybersecurity practices has pushed public and private enterprises toward zero-trust network architectures (ZTNAs).
First introduced in 2010, zero trust is a movement away from implied trust networks, or networks that grant trust based on being behind a firewall. In a ZTNA, trust is granted on a per session basis, regardless of where the user is located and what device they are using.
In May of 2021, President Biden enacted an executive order that instructed all federal agencies to adopt ZTNAs and modernize the United States government cybersecurity defenses. This order came in response to increased security concerns brought on by people working from home during the COVID-19 pandemic, as well as last year’s SolarWinds hack.
As the government shifts towards zero-trust network architecture, the private sector needs to do the same. Here’s why the move to ZTNAs makes sense for both the public and private sectors.
Why the Federal Government Is Implementing Zero Trust Network Architecture
Over the past year, zero trust has been a theme for the federal government. There are a few reasons for such a shift change according to Bill Wright, senior director of federal government affairs for Splunk. Wright says that while a perimeter-based network security model worked pretty well for a while, the status quo has failed over time and needs a change.
“As time went on, perimeter security became less effective because of a number of factors, including the growth of cloud computing, increased use of mobile technology, and just changes to the way people work,” said Wright. “This paradigm shift was already happening to a zero-trust environment, but it took a global pandemic and a few pretty devastating high-profile breaches to really cement zero trust as our governing secretary principal.”
Wright also stressed that zero trust is not something one singular company or agency can do alone.
“Zero-trust is not a solution or a product unto itself, but an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeter to focus on the users, the assets [and] the resources,” he said. “You cannot identify or combat a threat or an issue if you cannot see it.”
Why Should Companies Move to Zero Trust?
Many companies are asking why they should shift to a zero-trust network when they believe they already have a sound security system. Jason Keenaghan, the zero-trust strategy leader for IBM Security, says that while zero trust is not going to 100% guarantee a company from having a breach, its implementation is all about risk management and reducing the amount of time needed to respond to any incident.
“[Zero trust is] about understanding where your critical assets and resources are and making sure that you've got the most secure access controls in place to be able to protect those,” said Keenaghan. “So you have to have what I refer to as the safety net on the back end to be able to respond in that event.”
Zero Trust Is the Future of Cybersecurity
Government incidents and the shift to working from home were catalysts to moving towards zero trust architectures. Some business leaders argue that zero trust creates issues implementing security across existing systems in the cloud; however, as Ryan Permeh, senior vice president and chief security architect of BlackBerry explained, these adaptations are not a “flash in the pan.”
“We're already seeing this in areas around industrial control, automotive, and even in consumer applications,” said Permeh. “This concept will be spreading further and further, above and beyond, outside of just enterprises [and] organizations.”
“This is how we're going to continue to do business,” Permeh continued. “The tools will continue to get better and better. The skills that folks have are becoming better and better. It's a process [and] a journey, not a destination.”
From the Series