How zero trust solves the 'weakest link' problem
Our ability to both defend against and recover from cyberattacks is improving globally and across the federal government. However, adversaries are moving aggressively to attack us through different means.
That is the topline finding from the Third Annual State of Federal Cyber Resilience Report. Our global sample shows the number of direct cyberattacks and breaches both declined year-over-year with successful attacks dropping 27%. Within the federal government, security breaches dropped 43% despite facing an increase in the number of targeted attacks.
What's more, our research found there is a group of standout organizations that appear to have cracked the cybersecurity code for effective outcomes through innovation. Detailed modeling of cybersecurity performance has identified an elite group — 17% of the global respondents and 28% of federal respondents — that achieve significantly higher levels of performance compared to the rest. Specifically, they were four times better at stopping attacks and finding breaches, three times better at fixing breaches and two times better at reducing the impact of breaches. As a result, they were able to reduce the average cost of resolving security breach from $380,000 to $107,000.
That's the upside. What's concerning is the adversaries are adapting and increasingly focusing their attacks via indirect channels through third parties and supply chains. As federal leaders harden their cyber security postures, the enemy is moving to the take advantage of the weakest link.
The new threat
Given that federal leaders have done a good job managing the threat against their core systems and networks, the evolving cyber threat is exposing vulnerabilities in these outside networks, which are often the least resilient to withstand a cyberattack. Specifically, our research found that 45% of reported federal breaches and 40% globally came from indirect channels. These critical third parties include contractors, suppliers, state and local governments, research institutions and universities, and other non-governmental organizations.
Furthermore, with the rapid shift to teleworking due to the COVID-19 pandemic, another front has opened, which are the millions of federal workers now working from home. Their home network environments are most likely less secure and more exposed than well-protected agency networks.
Federal leaders recognize this threat with 85% of federal respondents (and 83% globally) agreeing that their organizations need to think beyond securing their enterprises and take steps to secure their ecosystems to be effective. And Zero trust is one way that federal organizations can more effectively deal with the third-party threat.
Enter zero trust
Zero trust addresses these uncertain times we're in by leaving nothing to chance. With Zero trust networks, the perimeter moves from the traditional firewall perimeter closer to where the data resides, on cell phones and other digital devices connected to federal networks. The new, cloud-based reality requires a remote-access approach that uses micro-segmentation to bolster protections and improve visibility. Zero trust not only monitors an organization's total digital assets, but also considers the people who attempt to connect to those assets and the processes for them to do so.
Zero trust is an innovative, agile security strategy and architecture design methodology, backed by the National Institute of Standards and Technology (NIST), that increases security on networking architectures by assuming the worst-case scenario -- that everyone is a potential threat -- independent of whether they have log-in credentials or are unknown and scoping another way into mission-critical systems. Under zero trust, networks users are continuously authenticated. It's not one product or platform, but rather a modernized cybersecurity architecture that combines security technologies that work in harmony to significantly boost an organization's cybersecurity posture and reduce risks.
The security methodology achieves this by grouping users, devices, data and services in separate categories inside of a trust framework. Zero trust elevates a traditional security posture from one that makes all of an organization's assets available to the workforce to one that implements a continuous authentication and authorization process for workers or contractors to gain access to a particular digital asset.
Essentially, a zero trust environment restricts what employees, contractors or other third parties can do and touch. It limits the potential damage an insider or outsider can cause by segmenting their accesses to only those assets that are allowed by their credentials and permissions to accomplish their jobs.
Zero trust doesn't require federal agencies to replace their existing networks or acquire a ton of new technologies. In fact, it works as effectively when it augments other cybersecurity tools and strategies. Along this vein, many government agencies currently have components of zero trust already in their infrastructure, including identity credential and access management (ICAM) and continuous monitoring, so moving to a comprehensive zero trust model would just strengthen what is already there. On top of this, NIST recently released new zero-trust architecture guidance, which is intended to provide a "road map to migrate and deploy zero trust security concepts to an enterprise environment."
But, it's not just about technology. Implementing zero trust requires agencies to establish clear policies, procedures, and processes. For example, an executive-level data governance board comprised of mission, IT, and cybersecurity leadership is essential to decide and enforce data security and access control rules for the enterprise.
When zero trust development is coordinated with the mission, it becomes transparent to the users. It functions under the covers ensuring that the users have seamless access to the data and applications they need to do their jobs. Done well, it becomes a mission enabler as well as a security enhancer. As agencies mature their zero trust capabilities and artificial intelligence algorithms increasingly make automated access decisions, the partnership with the mission/business side will be even more essential in setting up the policies and rules that drive smart access to different data.
The way ahead
Zero trust can help agencies achieve the goal of cyber resilience. However, implementing zero trust is not something that can be just handled by an agency's technologists. With so much at stake, rolling out the model will require buy in and coordination from leadership and stakeholders across the organization.
To make zero trust successful, federal agencies should take an incremental approach to implementation. First, identify a key mission partner to be the initial stakeholder. Analyze and understand that mission's activities. Identify their data and application requirements and map their data flows. Second, conduct a gap analysis of the existing cyber security infrastructure to identify missing zero trust components. Third, develop an implementation road map, starting with the identified mission partner, but with a plan to extend to the whole agency. Finally, socialize a zero trust mindset. As always, change management thrives with active communication and stakeholder engagement.