President Biden’s Executive Order has opened the doors to Zero Trust, but will Boris Johnson follow suit? Tony Scott, board member, ColorTokens, former federal CIO for the Obama administration, offers his insight.
Whether you are a business or an individual, you are a target. For whom? Well, it’s difficult to put names to the largely masked faces, but the fraternity of cybercriminals that operate globally around the clock don’t really care about their victims. Sure, one big ransomware attack on a large enterprise can yield a tidy profit, but so can countless smaller-scale ransomware attacks on the general public. Not a day seems to go by without another headline acknowledging cybersecurity failures.
Cybercriminals have had their fun via various GDPR breaches, with some eye-watering fines dished out to those organizations in question and have recently taken to attacking all kinds of superstar targets – the NHS, Microsoft, LinkedIn, etc Marriott Hotels and even Garmin. And all of these incidents serve to illustrate the (largely) ineffective cyber defences and response solutions employed by said organizations. For example, the widely reported Solar Winds hack of late 2020 targeted the Department of Homeland Security, the Treasury Department, and very high-profile victims. This particular hack highlighted the generally futile approach of a reactive response, rather than being proactive and assuming a breach is already happening. Slapping yourselves on the back because you’ve managed to bolt the barn door long after the horse ran off, doesn’t quite cut the mustard here.
And all too often the finger of blame is pointed at the employee: they are accused of poor security hygiene; they are suckers for a dodgy phishing link; they use work devices for personal tasks; etc. And yes, all of these things might have a ring of truth to them, but in reality we should be holding the enterprise responsible. Their IT networks are designed to exchange and use information in a way that actually presents a massive attack surface to cybercriminals, who are able to deploy laterally through such networks, looking for whatever is of interest to them. To add fuel to the fire, enter COVID-19. With an almost overnight shift to remote working (or hybrid models), the pandemic put huge pressure on already stressed IT departments to accelerate digital transformation. These IT infrastructures weren’t designed for a largely remote workforce. Cybercriminals, however, were rubbing their hands with glee: perfect conditions and greater opportunities for their nefarious activities.
If cyberthieves can go about their (bad) business without detection by taking advantage of trusted processes, then those systems are not fit for purpose. It’s time to move the goalposts and trust nobody. Enter Zero Trust.
The zero trust concept
The shift to remote working means that people often need access to data that lives in your organization’s data centres. To facilitate this access, businesses regularly make use of virtual private networks (VPNs). However, the use of a VPN opens up your infrastructure to networks and devices that you ultimately can’t control. You need to know who is connecting to your apps, what kind of device they are using. and associated access requirements. That’s the underlying concept behind Zero Trust network access (ZTNA): the provision of uninterrupted connection to your apps minus any risk to your data. By using ZTNA, an organization can effectively hide apps outside of the public internet with only authorized users granted access. With Zero Trust, the defining mantra is to trust nobody from the outset: everyone is a potential threat.
Biden buys in
Following on from the Solar Winds debacle, it was widely reported that the US government was considering reorganizing its cybersecurity approach by making the Cyber Command independent from the National Security Agency. So it came as no surprise to see US President Joe Biden giving his full support to the Zero Trust approach with an Executive Order that seeks to improve the nation’s cybersecurity, with specific emphasis on Zero Trust architecture. Zero Trust security architecture offers the most effective and practical solution to the ongoing escalation of cyberthreats. Using ongoing surveillance and checks, IT infrastructure becomes more of a stronghold – it is difficult to get in, and even harder to remain undetected.
- 7 strong authentication practices for zero trust
- 17 IT leaders on why your organization needs zero trust, with tips on implementation
- Don’t pay the ransom: Rubrik’s Zero Trust Data Management
- Zero trust architecture is not just ‘nice to have’
What About the UK?
Irrespective of Biden’s Executive Order, Zero Trust is already becoming the de facto approach for organizations all over the world. So, what about the UK? Well, currently there has been no endorsement of Zero Trust technology from 10 Downing Street. Was it a topic of conversation during Boris Johnson’s recent face-to-face meeting with the US President? Who knows, but it would be nice to think that it was given the disruption and chaos that a major cyberattack can cause to individuals, businesses, and even the government—and yes, that includes you, Mr Prime Minister. We can only hope that the familiar copycat tactics that the UK tends to adopt after the US rubber stamps something will apply to Zero Trust too.
Zero Trust security thinks the worst and assumes networks are not secure unless proven otherwise. The UK government needs to demonstrate its commitment to cybersecurity by recommending that organizations adopt the Zero Trust approach.