Zero Trust: How to Reach Maximum Security

By Jason Roys

“Zero trust” is a bad thing in personal relationships, but when it comes to cybersecurity, it’s a must.  

As cybercrime becomes ever more sophisticated, it’s no longer enough to secure a network perimeter to fend off an attack. The U.S. government and many large companies are adopting a zero trust security model, a set of security policies and practices that treats every component, service and user of a system as potentially compromised and continually vulnerable.  

Such a system relies on zero trust architecture, where each user identity is verified, sometimes multiple times, and every network access is mediated, logged and analyzed.  

In 2021, the Executive Order 14028 on Improving the Nation’s Cybersecurity, which requires U.S. federal government organizations to take action to strengthen national cybersecurity. It specifically calls on federal agencies and their suppliers “to modernize [their] approach to cybersecurity” by accelerating the move to cloud security and implementing zero trust architecture.  

In this article, we’ll discuss the features and benefits of zero trust network access, why it’s crucial for cybersecurity, and the specific ways in which SDV INTERNATIONAL meets the needs and demands of zero trust.   

What is zero trust security?  

A zero trust network assumes that nothing is safe and secure. Analyst John Kindervag, formerly of Forrester Research, coined the phrase “zero trust” to reflect his belief that risk is an inherent factor both inside and outside a network. Zero trust follows the motto: “Never trust, always verify.”  

This stance departs from the traditional “trust but verify” model, which automatically trusts users and endpoints within the network perimeter. That traditional method puts a network at risk from internal threats and external entities that manage to secure user access credentials.  

Why doesn’t this trust model work anymore? Two reasons: The acceleration of distributed work environments brought on by the COVID pandemic in 2020 and the digital transformation of businesses, transactions and sensitive data into the cloud.  

The Biden Administration’s executive order on cybersecurity mandates that federal agencies comply with National Institute of Standards and Technology (NIST) 800-207 as a required step for zero trust implementation, which is now regarded by many as the standard for private enterprise.  

Based on the NIST guidelines, a zero trust security model seeks to follow several core principles:  

Continuously verify 

A zero trust network verifies access continuously — all the time, for every user, component and service. More than 80% of all cyberattacks involve credentials use, or misuse, within the network. One-time validation isn’t enough because threats and user attributes are all subject to change. Organizations must ensure that all access requests are continuously vetted before allowing secure access to any enterprise or cloud assets.  

What might this mean for a user? It might require multi-factor authentication or re-entering credentials periodically. At the same time, a network can’t be so locked down that it becomes unusable.   

Limit the attack surface   

Under today’s systems, an intrusion by a malicious actor might shut down an entire network because a compromised device or user has broad access due to something known as “lateral movement.”  

Let’s say a user clicks a malicious link on their laptop and has their credentials stolen by hackers, who can now masquerade as that user. Because everything is connected through a network controller, the hackers can move laterally through the network, establishing a presence in multiple locations and amplifying their attack.    

Zero trust architecture can minimize the impact of an internal or external breach because that network controller is replaced by a “zero trust network access controller,” or ZTNA controller. Connectivity to the internet and other network assets is broken off by default and is established only when needed. The user has “least privilege access” to the parts of the network they need. And that comes only after they’ve authenticated themselves using private network-like credentials like biometrics or a code sent via text.  

A malicious actor would need to repeatedly pass identity and access management checks to enter other parts of the network. After multiple unsuccessful attempts, the ZTNA controller would say, “Hmmm, that looks suspicious,” and shut down an attack on critical assets or sensitive data before it can gain a toehold.  

Automate context collection and response 

Even as it boosts network security, zero trust strategy increases operational complexity and reduces overall productivity. So, how do enterprises find a balance between speed and safety as they defend zero trust solutions? 

Context is critical to effectively delivering on the potential of zero trust. Enterprises can create a security model that is permissive where possible and restrictive where needed. It's necessary to use strong authentication of users, device identity and asset requests, but those must be considered within the larger context of user operations. Security strategy can include factors like where requests originate, what time they occur and how the data is being used. 

Why is trust architecture crucial for cybersecurity?   

To understand why zero trust architecture is needed in today’s dangerous cyber environment, all you have to do is watch the news.  

I wrote an opinion piece last year about several major cyberattacks in 2021 that targeted our critical infrastructure. JBS, the world’s largest meatpacker, was hit with a ransomware attack against some of the company’s U.S. and Australian plants. JBS was forced to shut its five largest U.S. beef processing plants, which represent almost 20% of U.S. beef production. The company paid the hackers $11 million.  

A ransomware attack in May 2021 shut down the Colonial Pipeline, one of the nation’s largest, most vital energy pipelines. The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window and then infected the pipeline’s IT network. 

Massive hacks, data breaches, digital scams and ransomware attacks have continued in 2022, including Russian incursions into Ukraine’s infrastructure. It appears, though, that criminals have slowed down their “big-game hunting” and started going after small- and medium-size business, which have limited resources and may not have secured their IT networks. CISA and the Ransomware Task Force, created in 2021, have released a blueprint for fending off such attacks. 

While the U.S. government does not yet require private enterprise to adopt zero trust architecture, that day is likely not far off. From a national perspective, we must secure our critical infrastructure sectors, 90% of which — such as food production, energy, financial services, manufacturing and communications — is in the private sector.   

The White House has told federal agencies that they must achieve zero trust goals by October 2024 to harden the government’s security posture against cyberattacks. Since the administration is also interested in expanding its use of SaaS (Software as a Service), providers bidding on those contracts will need to meet those goals, too.  

Implementing a zero trust approach is a complex, enterprise-wide journey that requires enterprise-wide commitment, along with guidance from an advisory firm with know-how and experience in the zero trust journey.  

How does SDV INTERNATIONAL meet the needs and demands of zero trust?   

Years before the evolution of the term “zero trust,” SDV INTERNATIONAL was already employing its principles — assuming everyone is a hostile actor and compartmentalizing user access — to meet the demands of high-security government agencies.  

As far back as 2013, we published a white paper outlining the threats cyber criminals pose to critical infrastructure and proposing sound security measures, practices, procedures and enterprise architecture policies. Currently we work with several branches of the federal government as well as several large, publicly traded companies.  

When we assess a company’s or agency’s needs or design their zero-trust architecture, our bible is NIST circular 800-53, which runs the full gamut of security controls. Our services range from network architecture to software development to assistance with implementation.  

A small- or medium-size business likely won’t have the budget to apply all the zero trust principles the way federal agencies or big companies can. However, they can still establish control over users’ computing environments and traffic on their networks. We help companies using cloud providers like Microsoft and Amazon Web Services “inherit” security controls and activate encryption and strong multi-factor authentication, so they don’t have to reinvent the wheel.  

The work doesn’t stop there. Zero trust policies must be adaptive to new customers, new users and new business activities. You don’t just set it up and walk away. Some companies have an internal team to review and update policies, and that's one more service that SDV INTERNATIONAL provides.  

A quality-management system (QMS) is useful for documenting and scheduling periodic reviews and updates of policies. SDV INTERNATIONAL, with its ISO 9001:2015 and it CMMI Level 3 certifications, is well positioned to work with companies and agencies on the development of QMS that addresses zero trust architecture. (Learn more about how SDV INTERNATIONAL can support your QMS here.)  

To learn more about how SDV INTERNATIONAL works to secure critical infrastructure, visit our website, email info@SDVinternational.com or give us a call at 800-738-0669.