This article is an excerpt from GovLoop’s recent e-book, “Zero Trust in Government.” Download the full e-book here.
Early government cybersecurity focused on defending network perimeters with tools such as firewalls to block external threats. Like castle walls around a city, however, this approach can’t stop threats that come from within or breach physical boundaries.
Next, agencies added continuous monitoring and least privilege access control to their cybersecurity strategies. Continuous monitoring gives agencies visibility into all activities across their networks; least privilege access control allows them to control what devices and users gained access to their networks. Although valuable, neither of these approaches results in pervasive network security for agencies.
In 2010, the phrase “a zero trust approach to cybersecurity” emerged to describe continuous monitoring and least privilege access control working together. Three steps also became synonymous with improving this pairing: eliminating network trust, segmenting network access and gaining network analytics and visibility.
Eliminating network trust assumes that all traffic, regardless of location, is threatening until it has been authorized, inspected and secured for verification. For example, traffic from friendly agencies is considered dangerous until undergoing the verification process.
Segmenting network access, meanwhile, involves adopting least privilege access control. Agencies strictly enforce cybersecurity by allowing access to only the resources that devices and users need for their roles. This segmentation keeps the entire network from being affected if one part is compromised.
Gaining network analytics and visibility, finally, requires continuous monitoring. All internal traffic is constantly examined and logged, as is the perimeter for external threats. This vigilance is then paired with real-time protection capabilities for stronger cybersecurity.
The 2010 model isn’t perfect, however, and shortcomings soon emerged. For instance, agencies weren’t prepared for their trusted systems being compromised. Once compromised, invaders such as malicious software could hide undetected on agencies’ networks. These hazards could also damage previously healthy network segments. Agencies needed a stronger battle plan.
To find out what happened next to zero trust cybersecurity, download GovLoop’s recent e-book, “Zero Trust in Government,” here.