Zero Trust in the White House: Why it’s Time to Rethink Your Security Framework

All it took was one compromised corporate account and in 2021, US east coast oil supplies were impacted by the traumatic shutdown of Colonial Pipeline management systems as part of a major ransomware attack. This timeline of the events shows how quickly an attack can impact almost any business and have far wider implications.

In response, the US government declared a state of emergency. And in the aftermath, US security leaders focused on Zero Trust (aka perimeter-less, identity-focused security) as a must-have solution for critical infrastructure and federal agencies with enterprises not far behind, because traditional perimeter-based security is proving incapable of keeping out the bad guys.

Why the rush to Zero Trust?

Zero Trust is a decade-old idea whose time has come due to the increasing complexity of business networks, clouds, complex user bases and a hyper-aggressive criminal and state-sponsored hacking community. Some hacking groups operate in a highly professional, startup-like, manner with cutting-edge tools and smart tactics.

Adopting the Zero Trust framework helps businesses improve their overall defensive security posture, and while the US focus is on key defense and infrastructure, new guidelines apply to any size and type of business, especially those focused on operations.

With a deadline of 2024, agencies affected by the US government’s plans are being forced to identify a Zero Trust strategy leader and get an implementation plan in front of the Office of Management and Budget. Enterprises and companies around the world should be operating at the same tempo and with the same sense of urgency, as an automated hacker tool may be testing your business security at any time.

Why is there so much importance placed on Zero Trust?

Zero Trust became a high priority issue as traditional and even next-generation security tools fail to keep the hackers at bay. While most enterprises have a layered defensive approach to their IT security, key elements are still trusted, such as devices and admin accounts, that have too much power associated with them.

The hackers aim to use social engineering, brute force, or simply buying accounts, login details and passwords, with which they have the keys to any enterprise’s business-critical, financial or other data kingdom. Dynamically measuring trust and changes to that trust is a vital way to prevent a breach.

At the heart of Zero Trust are Identity Access Management (IAM) and perimeter-less security. By using Multi-Factor Authentication (MFA) combined with a robust risk scoring architecture, IT systems can ensure the identity of a user- this is how Zero Trust limits the damage any breach can cause to the bare minimum. For example, if one lower-end user who is only able to make edits to financial transaction records has their account compromised, there is no way the hacker can start syphoning money out of it.

Why Zero Trust is viewed as the future

If the US government is urging their IT partners and companies that do business with them to adopt Zero Trust, it makes sense for others to follow. The benefits, as part of that much-vaunted layered defense approach, help to reduce the impact of any breaches.

However, Zero Trust is not really a new weapon in the IT security arsenal. It’s been around a decade and evolved to act as a vendor-neutral method of ensuring a business remains secure, even as it scales and can have huge numbers of systems and workers.

But all the interest, rapidly growing adoption and results will have an impact beyond American government firms. Other agencies and businesses around the world will pick up on the value of Zero Trust, and as the level of awareness and education improves, it should filter in to become a standard part of IT security, helping automate account and credential management.

Yet, as with any IT effort, adding IAM and Zero Trust tools will require significant effort, especially for enterprises with extensive IT infrastructure. However, the sooner businesses get on with adopting Zero Trust, and get their heads out of the sand in many cases, the more secure they will be and the less risk of financial and reputational damage there is. And for those that work with the US government, or likely soon, any government – it will be a key part of being accepted for contracts.

Considerations for implementing Zero Trust and overcoming resistance

Some IT and security leaders may have doubts about Zero Trust models based on their experiences with early products and deployments. However, the evolution of services that are largely automated and use machine learning to identify new risks reduce the workload on teams and improve visibility into ongoing events with modern dashboards.

Users find that modern Zero Trust, PAM and IAM solutions are not as intrusive as first generation tools of their kind, and result in fewer complaints with a regular MFA or other login check the most they will notice, while in the background, multiple authentication checks take place.

Ultimately, Zero Trust is yet another evolution of IT security, but one that - once in place - will have minimal impact on IT and users, while adding a high level of user and data protection to keep businesses secure, whether or not they deal with government agencies. Zero Trust itself will evolve further with integrity monitoring and linking with new applications to ensure instant protection.