This article is the second in a series discussing zero trust for the Defense Industrial Base (DIB).
With a clear understanding of what zero trust is — especially through the DoD perspective — the next logical question is why to implement it. This article explores the “why” of zero trust, including external drivers — such as widespread adoption by the U.S. government and DoD — and internal ones, such as the potential benefits it offers to an organization.
The Evolution of Zero Trust
Zero trust is a security model designed to address the main shortcomings of traditional, perimeter-focused security models. Under these models, people, devices, software, etc. were either trusted insiders or untrusted outsiders. However, recent evolutions, such as the growth of the cloud and remote work, have made perimeters increasingly irrelevant.
Zero trust has made its way onto the scene over nearly two decades. Some key milestones include:
- Pre-2004: Zero Trust concept utilized by the US Intelligence Community to enable secure communications over untrusted telecom infrastructure
- 2004: The term “deperimeterization” is coined by Paul Simmonds in a 2004 presentation to the Jerico Forum.
- 2010: John Kindervag of Forrester Research – first public use of the term “zero trust”.
- 2018: Forrester defines the seven core pillars of zero trust, and NIST SP 800-207 describes the primary features of a zero trust architecture.
- 2019: Gartner defines the terms zero trust network access (ZTNA) and secure access service edge (SASE), both of which are core elements of a zero trust security architecture
- 2021: The U.S. government fully embraces zero trust via an Executive Order and publications by the Office of Management and Budget (OMB) and Cybersecurity and Information Security Agency (CISA) outlining zero trust strategies and reference architectures.
- 2022: The OMB gives federal agencies until the end of FY 2024 to achieve five key zero-trust goals.
Benefits of a Zero Trust Framework
The adoption of zero-trust principles by U.S. federal agencies and the DoD provides ample incentive for federal contractors to do the same. However, organizations can also derive numerous personal benefits from adopting zero trust, including:
- Improved Security: Zero trust eliminates the implicit trust in insiders that exists in perimeter-focused strategies. By individually evaluating every access request, zero trust makes it easier to detect, respond to, and contain suspicious or malicious actions.
- Increased Visibility: Under a zero trust security model, every access request is evaluated and authenticated. This provides deep visibility into how an organization’s IT assets are being used.
- Consistent Enforcement: Traditional, perimeter-focused security strategies approach security from a perspective centered on the corporate network. Zero trust implements consistent security and access controls across the corporate network.
- Data Protection: Zero trust individually authenticates each request for access to corporate resources. This makes it more difficult for an attacker to access and exfiltrate sensitive information from corporate systems.
- Third-Party Risk Management (TPRM): Third-party software, contractors, vendors, etc. may be used by an attacker to access an organization’s systems. A zero-trust security strategy manages the access granted to these third parties, reducing the potential impacts if they are compromised by an attacker.
- Regulatory Compliance: Zero trust is increasingly required by various regulations and contracts. Implementing zero trust will soon be essential to an organization’s compliance strategy.
Getting Started with Zero Trust
Zero trust has clearly emerged as the future of cybersecurity strategies for both the private and public sectors. Nearly all companies have acknowledged the importance of zero trust to their security and are making moves towards implementing it in the near future. For the defense industry, compliance with zero trust principles may soon be mandatory to continue working with the DoD.
Zero Trust at the Edge
With contributions from Secure Communications Expert, Junaid Islam, Board Member and CTO of XQ.
Mobile edge computing is extremely valuable in helping implement a Zero Trust Architecture. The term “edge” encompasses remote areas where networks may be unreliable and unsecure, yet critical data must still be collected in these areas to inform operations of potential threats, environmental changes, etc.
Since this data is obtained through networked sensors and imaging systems; being able to implement Zero Trust Data at the edge ensures that cyber attackers have little chance to either copy it (data exfiltration) or alter it (data corruption). In other words, implementing Zero Trust Data is key to ensuring Mission Critical systems are safe even when operating in hostile environments.
Performance Defense’s EDGE 5G-X is a certifiable, small form factor heterogeneous communications device that is secured with highest security standards including hardware-based root of trust. These cyber secure components is what sets the EDGE 5G-X a part and makes it a trusted mission-critical solution within the zero trust environment at the edge. The EDGE 5G-X platform in combination with Zero Trust Data software from XQ Message enables public sector customers to implement mission critical applications with improved reliability and performance compared to centrally hosted architectures. To learn more about the EDGE 5G-X, click here.
This article is the second installment in a three-part series discussing zero trust and the defense sector. The final piece in this series will focus on the “how” of implementing zero trust in your organization. To read what you missed, see below: