The Origins of Zero Trust
The federal government continues to be a major target of cyberattacks today, and we project that the attacks will only become more sophisticated in the remainder of 2021 and beyond.
If you keep pace with cybersecurity trends, you have undoubtedly heard the term “zero trust” with increasing frequency in recent years. The term, first coined by Forrester analyst John Kindervag in 2010 and popularized by Palo Alto Networks, refers to a methodology for better securing IT networks. As security practitioners recognize the need to shift from antiquated and ineffective castle-and-moat network security approaches to a model based on network segmentation and least privilege access, zero trust has become quite the buzzword.
But zero trust is much more than a catchphrase. It illustrates a reckoning that relying on traditional perimeter defenses is no longer enough to protect networks and data. Couple that reality with a growing awareness of insider threats, and we can no longer count solely on moats to keep our castles safe. Everyone, both outside and inside our network, poses a potential risk to our security. As such, it is imperative that we institute safeguards that protect our organizations accordingly.
But what exactly is zero-trust, and why is it so essential to the security of federal agencies? In this article, we’ll explore these questions and more and discuss how Acronis SCS Hardened Backup Edition can help federal customers build a zero-trust environment with zero connectivity, highest grade encryption, and secure software development through transparency.
The Zero Trust Concept Today
Zero trust architecture is a method of designing computer networks and data centers in which granular, rule-based policies strictly control the access to network resources. In addition, zero trust architecture treats every incoming connection as a potential threat until proven otherwise.
Nowadays, the concept of zero trust – and its foundational principle of “never trust, always verify” – has begun to take on a more holistic meaning. It is evolving from a concept focused solely on network security to one that may be more broadly interpreted and applied within security practice and policy.
In the context of the federal government, zero trust architecture gives our nation’s most sensitive information the greatest chance at being protected from potentially devastating cyberattacks.
The Department of Defense’s Digital Modernization Strategy demonstrates the beginnings of this shift in usage and understanding – as well as the significant role zero trust will play in the cybersecurity of the federal government in the coming months and years.
The document cites zero trust as “a cybersecurity strategy that embeds security throughout the architecture for the purpose of stopping data breaches. This data-centric security model eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privileged access.”
We may see the umbrella of zero trust widen even further in years to come, as security practitioners recognize the broad utility of the term in a world where trust must be verified (and re-verified) across a host of internal security entry points, both digital and physical.
A zero-trust environment can be created across federal agencies using secure development practices and tools, such as the Acronis SCS hardened backup solution to enforce this strict control layer between IT assets in the datacenter – including endpoints, servers, virtual machines, storage devices, networking equipment, and mobile devices – and external users or systems. Zero trust architecture helps build a strong defense against advanced persistent threats (APTs).
Least Privilege Access in Practice
So what does all this talk of terminology mean for those of us responsible for implementing an effective, resilient, and comprehensive internal security framework for our organizations?
At Acronis SCS – a US edge data security and certified cyber protection company dedicated to the US public sector – we have chosen to employ the zero trust model as a critical component of our broader least privilege approach. We have implemented this approach across our enterprise – from our office and data centers to our network, applications, endpoints, email, and cloud infrastructure.
As a company that caters to the public sector, we only employ US citizens. We require badge access for all who enter our Scottsdale-based office. In addition, we safeguard our data centers beyond High NIST standards, with numerous physical and biometric safeguards. Within our zero trust framework, we leverage Palo Alto Networks Next-Gen Firewalls and segmented networks. We also take our email security seriously, using FireEye Email Threat Prevention to prevent malware incursions, and we apply multi-factor authentication (MFA), certificate-based VPN, and more to our cloud.
The process of applying the highest internal security standards to our organization has not always been easy. For example, some of the cloud services we use do not automatically support MFA. Yet, we know the importance of this measure for our own cyber protection, so we choose to run MFA through another authentication method. Even when they require extra thought and time, these steps are critical for maintaining the confidence and trust of those we serve.
Every institution – especially those in the federal government – has unique internal security needs. As such, your approach may differ from ours. However, based on your customers, infrastructure, and mission, it will inevitably demand a balance between productivity and security in your own environment.
Applying Zero Trust to Product Development
Our application of the zero trust model’s concept of “never trust, always verify” goes beyond our internal security approach. We also apply the principle throughout our product development lifecycle. Our process is rooted within a secure-by-design philosophy, in which we compile all our product code ourselves within our own environment. That way, we know the purpose of every line of code.
We do not only rely on the expertise of our employees in this endeavor. We ask third-parties, like IronNet and nVisium, to review our code. And to make triply sure our products pose zero risk to US national security, our hardened, air-gapped backup product is also FIPS 140-2, Common Criteria, and DoDIN APL certified.
For more details on our product development philosophy, and how this security-minded approach is critical for mitigating supply chain risk, take a listen to Acronis SCS’s CEO John Zanni’s recent comments on the Federal News Network’s podcast.
In short, we are holistic in our adoption of the “always verify” concept, whether in our own internal security approach or our product development.
A Secure Approach Brings a Secure Future
As our own experience at Acronis SCS shows, instituting a robust and comprehensive security approach is not always straightforward – but it is necessary in today’s zero trust world.
The numerous cyberattacks targeting both the federal, state and local governments that our safeguards have already thwarted make that point clear. In a public sector environment permeated with threats, applying a zero trust and a least privilege model may be the saving grace for the federal government’s mission-critical data, peace of mind, and the public’s trust as well.