Cyber attacks are becoming more common, and the cost of cyber risk is increasing. Organizations need to start taking a zero-trust approach to managing cyber risk, which means they must be able to trust their own information systems without depending on third parties for validation.
The Zero-Trust Approach to Managing Cyber Risk Explained is a blog post that explains the Zero-Trust Security model. It’s a security approach that has been used for years in many different industries and it can be applied to cyber risk management as well.
The Biden administration is pressuring government agencies to embrace a cybersecurity concept that has gained traction in the private sector in the wake of a growing transition to cloud computing and an increase in cyberattacks: trust no one.
Last week, the White House Office of Management and Budget published a draft plan for a “zero trust” strategy to defending against hackers. President Biden announced the change in May as part of an executive order to strengthen cybersecurity, with the goal of detecting and containing attacks like the hack of government networks last year by SolarWinds Corp. Hackers exploited a flaw in a software update from the company to get access to the computer networks of at least nine government agencies and dozens more companies in the United States.
According to Theresa Payton, CEO of Fortalice Solutions LLC, a cybersecurity consulting company, implementing a new set of rules, processes, and technologies across government agencies may require a considerable amount of money and time. She compared the move to zero trust to a lifestyle change, and said the administration’s drive may assist update the government’s cyber defenses.
Ms. Payton, who served as the White House chief information officer under President George W. Bush, said, “If it were simple to accomplish, it would already be done.” “It’ll become extremely costly, very quickly.”
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
The following are the fundamentals of the zero-trust strategy:
What does it mean to have zero trust?
Any person, device, or program is seen as a possible danger, necessitating frequent identity and data access verification. Traditional security frameworks, on the other hand, trust technologies or people after they get beyond perimeter protections, which are typically built around networks linked to physical offices.
Zero trust is “particularly essential now that we’ve had the pandemic,” according to Bret Arsenault, Microsoft’s chief information security officer. “Whether you work from a desk, from home, or anywhere in between, you want to have the same consistent experience.”
More detailed network monitoring and segmentation, as well as limiting users from material that is off-limits to them, may assist prevent breaches. That, according to Mr. Arsenault, was crucial in determining the danger the SolarWinds assault posed to Microsoft’s networks.
He said, “It would have been a different world if we hadn’t adopted zero trust.” “We knew exactly where [the hacked software] was. We were aware of its location. In that situation, we understood what we had to do.”
How can businesses make the buzzword a reality?
While many elements of zero trust aren’t new, integrating them into a coherent whole, according to cyber experts, is more difficult. It may include documenting all devices in a company, implementing multifactor or biometric authentication, monitoring connections in real time, tightening users’ access restrictions, separating networks into regions that may be isolated in the case of an attack, and cordoning off obsolete technology.
According to Selim Aissi, former chief information security officer at mortgage processing company Ellie Mae Inc., certain tasks, such as encrypting data, may be very simple ones. However, replacing outdated security technologies that aren’t intended for a more aggressive approach to dividing networks or monitoring data may be more expensive.
“Good luck with that if you have an outdated firewall technology,” Mr. Aissi added. “It’s tear and replace,” says the narrator.
“Technology and procedure cannot accomplish everything at the end of the day,” Mr. Aissi said, adding that organizations implementing such changes must also obtain worker buy-in.
What are the government agencies being asked to undertake by the Biden administration?
Federal agencies must establish an inventory of their devices, encrypt networks, and implement an authentication system enabling users to access apps via a single, secure sign-on by the end of fiscal year 2024, which ends Sept. 30. Officials must also consider all apps as internet-connected and enhance data monitoring across computer networks, according to the plan. Some departments, such as the Department of Defense, have already started to adopt similar measures.
The Cybersecurity and Infrastructure Security Agency will assist agencies in making security improvements and has issued its own guidelines on how to achieve zero trust. Nonetheless, CISA cautioned that many agencies may have to rebuild or replace much of their current information-technology infrastructure as a result of the endeavor.
CISA said, “The road to zero trust is a gradual process that will take years to achieve.”
The Office of Management and Budget did not estimate how much the move to zero trust would cost. In fiscal year 2022, the office ordered agencies to utilize existing money for improvements and to furnish OMB with budget projections for the next two fiscal years.
So, what’s next?
The Office of Management and Budget is accepting public opinions on its proposed zero-trust approach through September 21. CISA is accepting comments on its guidelines through October 1st.
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8
The zero trust architecture wikipedia is a term that is used to describe the approach of separating the information system from any other systems. This means that there are no trusted parties, and all access must be authenticated before it can be granted.
- zero trust reference architecture
- zero trust architecture pdf
- zero trust architecture diagram
- how to implement zero trust
- zero trust security ppt