Voices Of Government IT

If zero trust is a mindset, here’s how to get into it

You, as a cybersecurity practitioner, develop a zero trust architecture in the networks for which you are responsible. Does that mean you and your agency don’t trust your people?

No, no, no. It simply acknowledges that people make mistakes – for example, clicking on a malware-inducing link in an email. And that you only want the people you do trust to access critical assets, namely the data in your systems.

That’s according to Mathew Newfield, the chief information security officer at Unisys. In this interview, Newfield goes in depth in the zero trust idea and what cyber people need to do to achieve a zero trust state.

Essentially, Newfield says, zero trust is more an approach, a mindset, than a specific technology stack. It postulates that because intruders are likely to be inside your networks despite all of the firewalls and other measures in place, every request for data should be validated, regardless of source.

The zero trust approach is particularly indicated in the age of cloud and mobile computing, where assets like data and computing endpoints exist outside of an organization’s network perimeter, Newfield says.

Notwithstanding that zero trust isn’t something you download and install, certain technology approaches will enhance your ability to achieve it. Newfield mentions continuous monitoring of network activity, micro-segmentation to limit the reach of malware or human-directed hunting, and having a comprehensive database of all of the assets your agency is trying to protect.

Newfield also says that because cyber operators must assume unwanted activity and malware is on their networks, it follows that an orientation on prevention must give way to a response orientation. That it, fast discovery and mitigation of malicious activity.

To get to zero trust, Newfield says to plan on a four-year journey during which you can accrue security benefits from the outset.

Zero Trust Context

When I look at environments, when I look at technology, and when I look at protecting our organization, our brand, our people, and our data assets, we have to think differently. The intruders are already inside. We are intruders in our own environment.

Technical Requirements for Zero Trust

Zero trust is a pure mindset. The core of this is about having a mind-set change. You really want to look at your environment differently. It’s putting on a business lens when you think about the organization, instead of just a pure technology lens.

Micro-segmentation and Advice for a Zero Trust Environment

Really what you’re trying to do – [when] we talk about zero trust, talk about knowing your network, your environment and what’s supposed to communicate with what – that’s really at the core of what micro-segmentation is. It’s limiting your ‘east-west’ access to those only those things that need to talk.

Listen to the full show:

Copyright © 2020 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.