Zero trust has become a major area of focus for the U.S. government in the last few years. As federal agencies move to the cloud, extend capabilities to the tactical edge and accelerate their modernization efforts, zero trust is changing the way our country’s critical infrastructure, assets and data are protected.
Learn more about zero trust and how it’s connected to the U.S. government’s cloud migration efforts during the ExecutiveBiz Cloud Security Forum on March 22, 2023. David McKeown, the DOD’s deputy chief information officer for cybersecurity and senior information security officer, will keynote. Register here.
What is Zero Trust?
As defined by the National Institute of Standards and Technology, zero trust is a “cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
A zero trust approach ditches the outdated castle-and-moat model of security and instead implements a “never trust, always verify” model that assumes an adversary is already on an organization’s network and heavily restricts lateral movement.
Zero trust narrows cyber defenses from wide network perimeters to small groups of resources — this is particularly critical during an era in which cloud environments and remote users are expanding and even eliminating the traditional physical security perimeters organizations employed even just ten years ago.
Paul Martini, CEO of iboss, noted that this transition to a newer, more updated security approach is necessary as organizational boundaries shift. “Software has now moved to the cloud. Today, there is no notion of a perimeter, so the model of how you protect these applications needed to change,” said Martini of the emergence of zero trust.
NIST 800-207
NIST’s Special Publication 800-207, released in 2020, established an abstract definition of zero trust, and it also outlined general deployment models, use cases and a high-level roadmap to implementing zero trust architectures.
According to Martini, the first steps in any organization’s zero trust adoption should be defining what zero trust means for them and leveraging the guidance provided by NIST.
“NIST 800-207 is an explicit framework that can get you to a better place. NIST tells you exactly how to connect your devices, how to connect your resources — they tell you all of the requirements you need to meet,” Martini said.
U.S. Government’s Response to ZT
In May 2021, President Biden issued a call to action across the federal government with the issuance of his executive order on improving the nation’s cybersecurity. Among the many cybersecurity initiatives within the EO was a directive for federal agencies to adopt a Zero Trust Architecture.
Following the EO, a September 2021 memorandum from the Office of Management and Budget required agencies to meet five specific zero trust security goals by the end of fiscal year 2024.
Most recently, the Department of Defense released its Zero Trust Strategy and Roadmap in November 2022. David McKeown, DOD principal deputy CIO, said the strategy articulates the “how” of fully moving to a zero trust architecture by 2027 — an effort which the department has spent a year thus far developing plans for.
Hear David McKeown speak on zero trust, cloud migration and other timely topics during the Cloud Security Forum hosted by ExecutiveBiz on March 22.
