Insight by Pluralsight

Demystifying zero trust

Zero trust often gets grouped in with artificial intelligence, machine learning and other buzzwords. But unlike technology solutions that have their moment and fade away, zero trust has the full weight of an executive order and various other high level guidance behind it. What it’s lacking, though, is guidance for how to implement it.

What really makes zero trust different is the granularity of its requirements. Take, for example, access control. Traditionally, an organization will...

READ MORE

Zero trust often gets grouped in with artificial intelligence, machine learning and other buzzwords. But unlike technology solutions that have their moment and fade away, zero trust has the full weight of an executive order and various other high level guidance behind it. What it’s lacking, though, is guidance for how to implement it.

What really makes zero trust different is the granularity of its requirements. Take, for example, access control. Traditionally, an organization will have role-based access control; that is, individuals in certain roles have access to certain things aligned with those roles. But new zero trust guidance tells agencies to implement attribute-based controls. So instead of filing an employee under the human resources purview, or the operator purview, employees are instead evaluated based on multiple attributes like what time they’re accessing the system, what applications they are trying to access and whether they should have that access.

But the problem with the zero trust executive order and memo is that in order to meet the aggressive deadlines set forth in the guidance, many agencies are doing the bare minimum to achieve the necessary compliance.

“There are a lot of really good security practices throughout this memo that these agencies probably should have already been implementing. If they haven’t already, they should be taking it a lot more seriously,” said Brandon DeVault, senior security author at Pluralsight and part time tech sergeant with the Air National Guard.

The biggest problem here, DeVault said, is that agencies largely lack the expertise they need to do this the right way. There are a number of free resources available that can teach federal employees what they need to know, but most agencies are understaffed and under-resourced, and the average fed just isn’t able to spend the necessary time chasing down the resources.

That’s where public-private partnerships can help. While YouTube videos and free courses that can train federal employees do exist, DeVault said often it can take hours just to locate a relevant resource. That’s one benefit the private sector can offer: a centralized repository of proven, relevant training materials.

“I think a lot of agencies will view this as a heavy lift in addition to their standard day-to-day workloads,’” DeVault said. “But if done right, most of these concepts like automation and efficiency throughout the zero trust implementation will save time in the long run. And those savings are compounded when you consider the cost of recovering from a major breach. Zero trust is in many ways a force multiplier for a strained workforce.”

One of the keys to understanding zero trust is that, while the Cybersecurity and Infrastructure Security Agency breaks it into five pillars, every aspect of a zero trust architecture is intertwined. It can’t just be followed like a checklist; agencies can’t implement identity controls this month, and device controls next month. Because, for example, a good inventory of devices also requires the level of appropriate access those devices require, which plays directly into identity.

Ultimately, though, there’s nothing groundbreaking in the White House’s zero trust guidance, DeVault said. Zero trust doesn’t invent any new concepts or implementations. It doesn’t require agencies to go out and buy a zero trust solution. Rather, it’s a mindset of adopting and implementing security solutions that agencies should already be doing, and integrating them across the enterprise.

“So my advice is to review the memo and clearly define who the stakeholders are for implementing each of the tasks, because it’s going to be system administrators, network administrators, your security team, it’s going to be anybody who’s working on architecture and cloud. Make sure that each one of those stakeholders understands what part of implementing the memo they’re responsible for,” DeVault said. “This shouldn’t be overwhelming to an agency. By getting started today, defining key stakeholders and ensuring your workforce has the resources to upskill in the critical areas of implementation, you will be well on your way to ensuring zero trust compliance by the deadline.”