The Pentagon has released its updated zero-trust strategy. Specifically, the strategy lays out The Pentagon’s approach to realizing zero trust, which includes over a hundred activities and ‘pillars’, including applications, automation and analytics, which serve to keep critical data secure.
Officials have set a five-year deadline to implement effective zero-trust solutions. The reasoning behind the updates is due to the cyber capabilities of other nation states continuously improving and evolving. The United States is meeting the cyber security challenge head-on by updating zero trust, a trust-and-verify approach.
We heard from top cybersecurity strategists on what this news means for the public sector.
Arti Raman (she/her), founder and CEO of Titaniam
"In the last 18 months, we have witnessed 4,000 cyberattacks across the world. Despite all the investment that has gone into cybersecurity globally, it is clear that our toolset is not yet complete. With more and more companies moving towards data-driven processes, the volume of personally identifiable information (PII) ingested and processed by companies is growing exponentially.
Organizations are consuming massive amounts of personal data that is directly tied to everyday people, and they’re often utilizing cloud-based services to help store them. This poses additional security concerns. When the data involved is government data, security concerns become even larger. The Biden administration recognized this need and as a response last year, we saw the administration’s Executive Order on Improving the Nation’s Cybersecurity. More recently, we saw the White House hosting its 2nd International Counter Ransomware Summit, where top national and global officials and representatives from some of the largest technology companies came together to discuss the next steps.
While cybersecurity is a complex issue, a direct route to solving malicious attacks is to create strong guardrails around our sensitive data. Most often, sensitive data compromise comes from cybercriminals using privileged credentials to access data repositories. Unfortunately, in such scenarios, traditional methods of data security such as encryption-at-rest fail to prevent data compromise because these controls cannot distinguish legitimate users from attackers with stolen credentials. One of the most effective solutions to eliminate data compromise and implement true zero trust for data is encryption-in-use or data-in-use encryption. We recommend U.S. businesses and government agencies consider data-in-use encryption because data and IP are encrypted and protected even when it is being actively utilized, neutralizing all possible data-related leverage that attackers could gain, and limiting the blast radius of cyberattacks. Encryption-in-use is one of the strongest and most effective guardrails that can be implemented toward zero-trust data security."
Gal Helemski, CTO/CPO, PlainID
"Seeing the Pentagon reinforce their security strategy is a positive sign. The government holds the most sensitive data out there, and in today’s world, you cannot put your trust in any static, perimeter based security system. Every single data access needs to be assessed in real-time with a specific context of who is accessing what data, from where, and how. This will massively improve the cybersecurity capabilities of these three federal agencies.
Everyone must realize, the key to defending an organization from future cyberattacks is protecting the data and the applications, by ensuring that even if a bad actor (which can be a federal employee sometimes) has gained access credentials, they don't have automatic access to any or all data. To quote from the memorandum "Authorization, a critical aspect of zero trust architecture is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorization determines what that user has permission to do.
Let's face it, zero-trust is the only way to secure a modern, decentralized enterprise, in which data and applications are accessed from anywhere by employees, customers and partners."
Justin McCarthy, Co-Founder/CTO, Strong DM
“With the rise of remote and hybrid working, the traditional perimeter as we know it is gone. That is why Zero Trust Architecture and networks are so important for a company’s cybersecurity strategy.
At its essence, Zero Trust helps reduce security breaches by removing implicit trust from your system’s architecture. Unlike traditional security, with Zero Trust, each access point must be validated before a user is trusted and given access within the network.
Zero Trust security believes that a breach will inevitably occur in addition to acknowledging that threats exist both inside and outside of the network. Because of this, it continuously scans for malicious behavior and restricts user access to what is necessary to complete the task. In addition, users (including potential bad actors) are prevented from navigating the network laterally and accessing any unrestricted data.
Some may say that Zero Trust will hinder productivity, which could be the case if backend management processes and governance operations are granted manually. But it’s the opposite if you have the right tools to make it easy to grant access and audit access control. The result of Zero Trust architecture, especially when it comes to improving the nation’s cybersecurity is higher overall levels of security, easy accessibility and reduced operational overhead.”
###