FedInsights by Palo Alto Networks

The zero trust approach to cyber starts from the inside

John Davis, the vice president of public sector for Palo Alto Networks, said those key concepts that will move agencies toward a zero trust approach include...

Shape

The Concept of Zero Trust

If you look at the marketplace of technology and the dynamics that have been happening for the last 10-15 years, everything is moving in a direction that is bringing more and more opportunities and benefits, especially in the social and economic arenas. But with that growth, there’s always a dark side and that’s risks and threats that are associated with this rapid growth.

Shape

Challenges in Implementing a Zero Trust Model

The use of automation and software-based advanced analytics, like machine learning, big data, deep learning, behavior analytics and artificial intelligence, when we fully mature that will help us fight the bad actors. They are using that already and industry has learned how to use that in defense. That is where industry can really help government agencies in the areas of automation because you have to fight machines with machines and you have to fight software with software. We will never have enough people to solve this problem using people alone in a very response oriented methodology.

For the last year, the concept called zero trust has been one of those buzz words. Every agency chief information officer, chief information security officer (CISO) and vendor talked about this approach to cybersecurity, and about how over time, shifting to a zero trust architecture would provide them with a more rigorous approach to network, system and data security.

But like any security tool or concept before, zero trust is not a panacea to all of the federal government cybersecurity challenges.

What zero trust is, according to Forrester Research, is a set of robust detection and incident response capabilities to protect your vital digital assets.

The industry government group ACT-IAC released a white paper in 2019 on zero trust and offered more focused view of the concept. In it, the public-private working group recognized that zero trust is a security concept anchored on the principle that organizations need to proactively control all interactions between people, data and information systems to reduce security risks to acceptable levels. They also highlighted that an important aspect of this approach, the current set of tools many agencies are using can play a big role in the zero trust architecture.

Agencies must take specific steps to move down the path toward creating a zero trust environment, while avoiding the potholes and keeping certain core concepts t front of mind.

John Davis, the vice president of public sector for Palo Alto Networks, said those key concepts that will move agencies toward a zero trust approach include protecting from the inside out versus the outside in, which has been the case for much of the past three decades.

“That means if you take an inside out approach, then you have to figure out what is it that is important to my business or mission to protect,” Davis said on the Innovation in Government show. “This is called a protect surface and making sure you are able to have fine granular controls, visibilities and protections, around that protect surfaces. To me, zero trust is really about ensuring only authorized users are allowed to do authorized functions using authorized applications with authorized content from authorized devices, and anything else is not allowed unless you make an exception for it.”

Under this architecture, Davis said it means agencies and organizations have to define the roles and responsibilities for each user.

For the last three-plus years, the Office of Management and Budget has emphasized agencies should identify and focus protections on their high-valued assets. In the 2018 memo, OMB expanded the definition of HVAs and refined the process to identify and secure the data and applications.

While agency efforts to protect their high value assets are a bit uneven, Davis said the theory that you can’t protect everything is one nearly every organization understands especially as the threats and attacks continue to grow.

“If you look at the marketplace of technology and the dynamics that have been happening for the last 10-15 years, everything is moving in a direction that is bringing more and more opportunities and benefits, especially in the social and economic arenas. But with that growth, there’s always a dark side and that’s risks and threats that are associated with this rapid growth,” he said. “What makes that even more dramatic, if you look at this phenomena of the internet of things where we are connecting everything to this IT environment, and you look at the growth of 5G technologies, so you are now talking about not just scale, but speed with being able to connect to these things. That means the attack surface…is growing exponentially.”

Davis said beyond speed and scale, there are the consequences and real impact of attacks against this broad attack surface from nation states and criminal organizations.

“Now you are putting mass transit systems at risk, you are putting potentially life-sustaining devices at risk. So for me, the thing I worry about and as someone who has been in the national security community, the military, for 35 years, it’s not hyperbole to say the path we are on could put people’s lives at risk if we don’t bake in security as we look at this technology,” he said. “We are at a critical point now where we need to absolutely do that.”

Davis said the move to zero trust becomes even more important as attackers are getting better because of tool sharing and automation, which provides them with greater speed and scale.

Another important factor in moving toward this zero trust architecture is the government’s partnership with industry, especially around threat intelligence sharing and innovation in the cybersecurity sector.

“The use of automation and software-based advanced analytics, like machine learning, big data, deep learning, behavior analytics and artificial intelligence, when we fully mature that will help us fight the bad actors. They are using that already and industry has learned how to use that in defense,” Davis said. “That is where industry can really help government agencies in the areas of automation because you have to fight machines with machines and you have to fight software with software. We will never have enough people to solve this problem using people alone in a very response oriented methodology.”

Davis emphasized that zero trust is not a product, but a journey that is dynamic and combines people and technology.

“The challenge of being able to see and stop a threat as it goes through the attack process, if you can have visibility and security controls or protections at the right places in an enterprise environment you are able to turn that around where the defender has to be right every time and the attacker has to be right only once,” he said. “Now [with zero trust] the attacker has to be right at every one of those steps before they have a successful outcome. The defender only has to see and stop them at one of those steps along the process.”

 

About Palo Alto Networks:

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world’s greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories