You, as a cybersecurity practitioner, develop a zero trust architecture in the networks for which you are responsible. Does that mean you and your agency don’t trust your people?
No, no, no. It simply acknowledges that people make mistakes – for example, clicking on a malware-inducing link in an email. And that you only want the people you do trust to access critical assets, namely the data in your systems.
That’s according to Mathew Newfield, the chief information security officer at Unisys. In this interview, Newfield goes in depth in the zero trust idea and what cyber people need to do to achieve a zero trust state.
Essentially, Newfield says, zero trust is more an approach, a mindset, than a specific technology stack. It postulates that because intruders are likely to be inside your networks despite all of the firewalls and other measures in place, every request for data should be validated, regardless of source.
The zero trust approach is particularly indicated in the age of cloud and mobile computing, where assets like data and computing endpoints exist outside of an organization’s network perimeter, Newfield says.
Notwithstanding that zero trust isn’t something you download and install, certain technology approaches will enhance your ability to achieve it. Newfield mentions continuous monitoring of network activity, micro-segmentation to limit the reach of malware or human-directed hunting, and having a comprehensive database of all of the assets your agency is trying to protect.
Newfield also says that because cyber operators must assume unwanted activity and malware is on their networks, it follows that an orientation on prevention must give way to a response orientation. That it, fast discovery and mitigation of malicious activity.
To get to zero trust, Newfield says to plan on a four-year journey during which you can accrue security benefits from the outset.
Zero Trust Context
When I look at environments, when I look at technology, and when I look at protecting our organization, our brand, our people, and our data assets, we have to think differently. The intruders are already inside. We are intruders in our own environment.
Chief Information Security Officer, Unisys
Technical Requirements for Zero Trust
Zero trust is a pure mindset. The core of this is about having a mind-set change. You really want to look at your environment differently. It’s putting on a business lens when you think about the organization, instead of just a pure technology lens.
Chief Information Security Officer, Unisys
Micro-segmentation and Advice for a Zero Trust Environment
Really what you’re trying to do – [when] we talk about zero trust, talk about knowing your network, your environment and what’s supposed to communicate with what – that’s really at the core of what micro-segmentation is. It’s limiting your ‘east-west’ access to those only those things that need to talk.
Mathew Newfield joined the Unisys leadership team as the Corporate Chief Information Security Officer in March 2018. He leads the Unisys Corporate Information Security team with responsibility for design, development, and implementation of the company's corporate information security and risk programs across all regions and functions. Mathew has over 19 years of experience in Information Technology with a focus on Security, Software as a Service Operations, Risk Auditing and Management, and international Mergers and Acquisitions.
Prior to joining Unisys, he was the Director of Global Managed Security Services for IBM where he had responsibility for delivery services in 133 countries and managed a staff of 1,500 security professionals. Mathew led the Managed Security Practice that performed Device Management, Threat Intelligence, Managed Security Information and Event Management, Account Governance, Project Management, Deployment Services, New Service Integration Business Operations, Compliance/Governance and Architecture Services. Mathew was also the Business Unit Information Security Officer and Global Process Officer for IBM's Security Services Organization. During his time at IBM, Mathew streamlined operational processes and developed cost reduction methodologies that improved cost control, profitability, and client delivery. Prior to IBM, Mathew held senior security leadership roles at Cybertrust, RSA, and DDC Advocacy.
Mathew is a published author on topics related to security, a speaker on cybersecurity, and has been an instructor at the SANS Institute. In addition, he holds a Bachelor of Science degree in Industrial and Organizational Psychology from George Mason University.
Tom Temin has been the host of the Federal Drive since 2006. Tom has been reporting on and providing insight to technology markets for more than 30 years. Prior to joining Federal News Radio, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.