President Biden’s executive order on improving the nation’s cybersecurity requires agency heads to develop a plan to implement a zero-trust architecture to effectively mitigate cyber risk.
Increasing and enhancing an organization’s cybersecurity posture should also be a corporate and countrywide mandate (as well as a business imperative), because there is an increased need for focus in cybersecurity following a steady drumbeat of attacks that have directly impacted Americans and hampered logistics and services across the United States.
Companies don’t operate in a vacuum. Decisions and business contingency planning – or lack thereof – has broader implications that impact society.
The ransomware attacks that hit the gasoline pipeline and beef supplier temporarily disrupted the supply of crucial goods and products in parts of the US. They affected both the companies’ bottom lines as well as consumers who rely on the constant availability of these goods and services.
The incentive for a business to implement a zero-trust architecture should be based on internal mandates, with consideration for how a security breach might impact others outside of the organization. If organizations don’t enact effective security controls internally, they could have them imposed as a regulatory requirement or through legislation.
The White House’s cybersecurity executive order will directly impact federal agencies and government contractors but will also likely influence private businesses. A separate White House memorandum is already pushing critical infrastructure owners and operators to implement baseline security practices to protect national and economic security, as well as public health and safety.
Zero trust is for today’s perimeter-less network environment
Zero trust is an architecture framework, implementing consistent enforcement of authentication and authorization throughout a perimeter-less environment. Today, effective cybersecurity controls encompass access to applications, data, and resources on-premises, deployed across multi-cloud platforms, hybrid environments, and mobile devices. It prescribes the design, coordinated cybersecurity, and system management to combat cyber threats inside and outside the traditional perimeter.
The fundamental objective for zero trust is that all users, applications, and devices that are trying to access networks, services, servers, databases, etc., no matter their location, should be authenticated, authorized, and validated, and that trust is not inherited or presumed anywhere across the everywhere-enterprise.
Zero trust is all about consistently enforcing controlled access and tight containment, thereby minimizing the negative impact if user’s credentials, devices, servers, applications or databases are compromised. Zero trust focuses on security monitoring, granular risk-based access controls, and automated risk mitigation. The flow of security data is coordinated throughout an organization’s enterprise-wide digital infrastructure, allowing IT and security teams to focus on protecting data and other digital assets in real-time.
A recent survey of North American IT and security leaders evaluated their secure access priorities over the next 12 months and how they will be used to curtail security challenges. Ninety-eight percent of the IT and security practitioners say their security practices will become more aligned with a zero-trust strategy over the next year, highlighting the urgency to move to zero trust to reduce risks.
Fighting back against the increasing number and sophistication of cyberthreats
A strong security posture, bolstered by zero-trust architecture, reduces attack surfaces. Every privileged account is a potential attack surface. Administrative, root, Windows domain, local admin accounts, network devices, applications, and service accounts in an organization could number in the thousands. In large companies, that number can reach tens of thousands. Reducing these potential attack surfaces greatly reduces risk.
With threats growing in volume and sophistication, a zero-trust architecture supports today’s everywhere-workplace. Every organization should heed the mandate by continuously verifying posture and compliance and providing least-privileged access. When we reduce attack surfaces and minimize risk, we increase the welfare and strength of our organizations, our economy, and our nation.