Most federal agencies are pursuing the zero trust model for their network architectures. The concept, which aims to remove notions of inherent trust in accessing networks, as a means of decreasing cybersecurity risks, is picking up speed.
Chase Cunningham, Forrester Research vice president and principal analyst serving security and risk professionals, said he has seen nearly triple the attention paid to zero trust at agencies since this time last year.
“A year ago, I was aware of about 10, maybe 12 different agencies that had sort of conversational projects going about zero trust,” he said on Federal Monthly Insights — Zero Trust Month. “Now fast forward, we’re talking about 44 federal agencies that have dedicated, line item funded tiger teams to go off and either research or start implementing zero trust strategically.”
Zero trust is not a singular technology, it’s embodied by a range of technologies that range from strong identity and access management, micro segmentation and device health, to data security and automation, Cunningham said. On the first point — identity and access management — he said bad usernames and passwords have been to blame for many an issue.
“So if we can eliminate those really easy overt problems with relatively binary solutions, like multi-factor authentication, single sign-on, out-of-band [authentication], those type of things, we may get where we don’t have to worry about the largest area of concern,” Cunningham said on Federal Drive with Tom Temin.“And that’s really the win that you’re trying to get to is not having to worry about easy problems. There should be honestly, with technology, there should be no reason to have bad usernames and passwords as the avenue compromising an enterprise anymore, not in 2020.”
Part of his research includes redefining “identity” for this era. As he put it, anything which touches a network or “can move electrons” has an identity, be that an internet of things device or a home thermostat. And they can often have passwords.
To get to zero trust without using passwords and usernames, running on biometrics and out-of-band authentication for bring-your-own devices, or BYOD, with a security framework that is not such a hinderance, is the goal, Cunningham said.
“And honestly, the fact that we’re in a cycle right now, where everyone is being told across the country to work from home, means that all these organizations have to figure out how to do this at speed and scale. Personally, I think this is the perfect use case, for BYOD and for zero trust for the workforce,” he said.
The coronavirus may have magnified telework for federal agencies and large corporations, but in truth these entities have been moving in that direction for about a decade, he said. Virtual private networks have been a source of compromise to facilitate this development, but Cunningham argued for its demise in the name of establishing zero trust. Combining bad passwords with remote workforces and exploited endpoints opens up VPNs.
“What we want to get to is where we’re using virtualized infrastructure and software defined networking to push the controls of Enterprise Security out to the endpoint. And the user never has to do VPN. And if you do that, you again eliminated larger compromised,” he said. “So it’s achievable, and there are technologies that enable it, but it is not legacy VPN.”