If you keep pace with cybersecurity trends, you have undoubtedly heard the term “zero trust” with increasing frequency in recent years. The term, first coined by Forrester analyst John Kindervag in 2010, and popularized by Palo Alto Networks in years since, refers to a methodology for better securing IT networks. As security practitioners recognize the need to shift from antiquated and ineffective castle-and-moat network security approaches to a model based on network segmentation and least privilege access, zero trust has become quite the buzzword.
But it is much more than a catchphrase. It illustrates a reckoning that relying on traditional perimeter defenses is no longer enough to protect networks and data. Couple that reality with a growing awareness of insider threats, and we can no longer count solely on moats to keep our castles safe. Everyone, both outside and inside our network, poses a potential risk to our security. As such, it is imperative we institute safeguards that protect our organizations accordingly.
Nowadays, the concept of zero trust – and its foundational principle of “never trust, always verify” – has begun to take on a more holistic meaning. It is evolving from a concept focused solely on network security to one that may be more broadly interpreted and applied within security practice and policy.
The Department of Defense’s recently released Digital Modernization Strategy demonstrates the beginnings of this shift in usage and understanding. The document cites zero trust as “a cybersecurity strategy that embeds security throughout the architecture for the purpose of stopping data breaches. This data-centric security model eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privileged access.”
We may see the umbrella of zero trust widen even further in years to come, as security practitioners recognize the broad utility of the term in a world where trust must be verified (and re-verified) across a host of internal security entry points, both digital and physical.
So what does all this talk of terminology mean for those of us responsible for implementing an effective, resilient, and comprehensive internal security framework for our organizations? At Acronis SCS – a medium-sized business that delivers edge data security and cyber protection solutions to the US public sector – we have chosen to employ the zero trust model as a key component of our broader least privilege approach. We have implemented this approach across our enterprise – from our office and data centers to our network, applications, endpoints, email, and cloud infrastructure.
As a company that caters to the public sector, we only employ US citizens, we require badge access for all who enter our Scottsdale-based office, and we safeguard our data centers beyond High NIST standards, with numerous physical and biometric safeguards. Within our zero trust framework, we leverage Palo Alto Networks Next-Gen Firewalls and segmented networks. We also take our email security seriously, using FireEye Email Threat Prevention to prevent malware incursions, and we apply multi-factor authentication (MFA), certificate-based VPN, and more to our cloud.
The process of applying the highest internal security standards to our organization has not always been easy. For example, some of the cloud services we use do not automatically support MFA. Yet, we know the importance of this measure for our own cyber protection, so we choose to run MFA through another authentication method. Even when they require extra thought and time, these steps are critical for maintaining the confidence and trust of those we serve.
Every company has unique internal security needs. As such, your approach is likely different from ours. It will demand a balance between productivity and security in your own environment, based on your customers, infrastructure, and mission. Luckily though, tailoring policies and procedures need not always require reinventing the wheel. There are tools that can make this process smoother for any organization. For example, using a backup and recovery solution that includes active anti-ransomware protection can safeguard your organization from unnecessary and costly data breaches, while an easy-to-use digital authentication solution can prevent bad actors from tampering with your data.
Our application of the zero trust model’s concept of “never trust, always verify” goes beyond our internal security approach. We also apply the principle throughout our product development lifecycle. Our process is rooted within a secure-by-design philosophy, in which we compile all our product code ourselves within our own environment. That way, we know the purpose of every line of code.
We do not only rely on the expertise of our employees in this endeavor. We ask third-parties, like IronNet and nVisium, to review our code. And to make triply sure our products pose zero risk to US national security, our forthcoming hardened, air-gapped backup product is also undergoing three layers of outside certification. For more details on our product development philosophy, and how this security-minded approach is critical for mitigating supply chain risk, take a listen to Acronis SCS’s CEO John Zanni’s recent comments on the Federal News Network’s podcast.
In short, we are holistic in our adoption of the “always verify” concept, whether in our own internal security approach or our product development.
As our own experience at Acronis SCS shows, instituting a robust and comprehensive security approach is not always simple – but it is necessary in today’s zero trust world. The numerous cyberattacks targeting both our company and employees that our safeguards have already thwarted make that point clear. In an environment permeated with threats, applying a zero trust and least privilege model may be the saving grace for your organization’s critical data, peace of mind, and customers’ trust as well.