It may have been mere coincidence or a result of, but the recent cyber attack of Microsoft Exchange servers and last year’s lethal SolarWinds intrusion has resulted in potentially creating a major shift in the U.S. federal government’s security strategy.
According to an article in FCW, during a hearing with U.S. senators on March 18, federal chief information security officer Chris DeRusha, said that the White House “will push federal agencies to start moving toward a new Zero Trust paradigm.
“In this new model, real-time authentication tests users, blocks suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident.”
Dr. Chase Cunningham, a leading cybersecurity expert and originator of Forrester’s ZTX Zero Trust Extended Framework, described his comments as “significant.
“Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies,” he stated following DeRusha’s appearance in the U.S. Senate.
“He is absolutely right. This is about using the tools and technologies that can help us align our overall approach to the problem and not about more technology. Strategy, then technology followed by more strategy will win the good fight.”
In February, DeRusha, who at the time was CISO for the state of Michigan, told a U.S. Senate committee on homeland security and governmental affairs that “attacks on government organizations at all levels continue to increase and demonstrate the ever-expanding capacity of our adversaries.
“State of Michigan firewalls repel over 90 million potentially malicious probes and actions every day, and we are not unique. To defend our networks and the data entrusted to us by our residents, state and local cybersecurity leaders are taking proactive steps to improve protections.”
Now, no security expert of any credence is suggesting a Zero Trust initiative could have completely prevented the SolarWinds attack or the recent Molson-Coors hack, but what they are saying is that moving forward, it can certainly assist organizations of all size and scope, be they public or private, in minimizing risk.
This is especially true when it comes to the protection of data.
The concept of a Zero Trust (ZT) cybersecurity architecture has been around for more than a decade. However, adoption didn’t really begin to take hold until the past couple of years. As with many technological innovations, it hasn’t always been clear just what Zero Trust is all about, and more importantly how to implement Zero Trust easily and cost-effectively.
The principles of Zero Trust are simple. Never trust, always verify. In practice, that means each user must be verified before access is granted to any resource. Every request from every user, inside or outside of your perimeter security must be authenticated, authorized and encrypted, in real-time.
FileFlex Enterprise, a Zero Trust Data Access (ZTDA) platform, provides secure sharing of confidential files within the app itself via secure encrypted channels, instead of sharing files via vulnerable email attachments or syncing and duplicating in the cloud, which increases the attack surface area. Authentication and authorization are strictly enforced before access and sharing is allowed, and access is granted on a per session basis.
Attachments, which clearly create a risk area, are a fundamental way for hackers to infiltrate a system, but through FileFlex Enterprise, IT controls sharing permissions and user permissions over all storage locations even to file level granularity. The administrative console includes a view of all activities of all users that can be monitored in real-time or exported to security incident event management software.
Access and Sharing can be revoked at any time on an individual contact, user, or file-by-file basis. In addition, double encryption will ensure that the transmitted data is encrypted all the way through from sender to receiver and can never be intercepted at the server level.
FileFlex Enterprise augments traditional perimeter-based security by always authenticating and always verifying all transactions all the time with a “never trust, always verify” model where access to data can be as granular as a single file protecting against unauthorized access to the organization’s infrastructure.
The underlying principles of ZTDA are as follows:
- Grant micro-segmented access to data (as opposed to protecting a perimeter).
- Every transaction and every user are authorized and authenticated, every time.
- Access and Sharing policies can be customized on a user-by-user and file-by-file basis.
- All transactions by all users are tracked and monitored.
Zero Trust not only delivers significant security improvements but also reduces costs and complexity while providing more peace of mind for business and IT leaders, as well as cybersecurity teams. At the same time, it provides a secure platform for the remote workforce with added productivity.
Given what is going at the moment with the Microsoft Exchange Server hacking debacle and other incidents, what is clear is that now is the time to explore, expand and accelerate Zero Trust initiatives.
Anthony DeCristofaro is the CEO and President of Qnext Corp.