Insight by VMware

Zero Trust Cyber Exchange: VMware’s Andrew Osborn suggests starting with a data inventory

The Biden administration has elevated the role of zero trust in federal cybersecurity, but the concept stood out as an industry best practice well before any mandates took shape within the federal government.

Andrew Osborn, staff tech marketing architect for public sector at VMware, said the need to implement a zero trust model has been clear for quite a while.

“That’s because of the pervasive nature of the adversaries. Ultimately, the standard castle-moat model has...

READ MORE

Shape

Zero Cyber Trust Exchange: VMware

Ultimately, the standard castle-moat model has not been working very well, and we’ve been finding that time and time again, the intruder has found ways through.

The Biden administration has elevated the role of zero trust in federal cybersecurity, but the concept stood out as an industry best practice well before any mandates took shape within the federal government.

Andrew Osborn, staff tech marketing architect for public sector at VMware, said the need to implement a zero trust model has been clear for quite a while.

“That’s because of the pervasive nature of the adversaries. Ultimately, the standard castle-moat model has not been working very well, and we’ve been finding that time and time again, the intruder has found ways through,” Osborn said during Federal News Network’s Zero Trust Cyber Exchange.

Supply-chain attacks such as the SolarWinds breach led to major disruptions, both in and out of government, and underscored the need to move beyond a traditional perimeter defense model for cybersecurity.

Expect the breach

“Ultimately, what we have to presume is that the intruder’s going to get up through the middle of the castle, up through the water well, and come right out like a Trojan horse in the middle of your area and may even look cloaked like one of your own folks walking around inside the castle,” Osborn said. “If you have that scenario happen to you, it’s a real challenge if you’re using the perimeter defense model to not only exfiltrate or remove them from your premises, but even knowing they’re there.”

To implement a zero trust strategy successfully, Osborn said agencies need to start by inventorying their data.

“Everything that’s requesting data or exchange of data, you certainly would need to start there. That would be a first phase,” he said, adding that agencies should include both users in the trenches and also management so everyone is “on the same page.”

Agencies inventorying their data should have a full understanding of what the organization’s “crown jewels,” in terms of data assets, as well as what devices have access to which data, Osborn said. He further recommended that agencies should inventory existing cyber tools that they already have in their arsenal to lay the groundwork for that initial phase of  deploying  zero trust.

Focus on data because your adversaries will

“Ultimately, the intruder or the malicious actor is trying to either deny individuals or even autonomous systems access to data or they’re trying to steal it — or even modify it and make it to where it is not reliable data,” Osborn said. “Any one of those scenarios are ultimately the core constructs of the model. So if you don’t understand what data you have … then that is going to be your first struggle.”

While data and devices are key pillars of any successful zero trust strategy, Osborn said agencies also need to overcome culture change.

“Zero trust is indeed a distrust of all entities, all things. It is truly zero trust — you trust nothing. … It’s not just trust but verify,” he said. “You are going to verify before trusting and in every direction, both ingress and egress — from A to Z and Z to A — in a continual manner.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page. You can also find additional VMware zero trust guidance at VMware | TechZone Zero Trust Portal.