Zero trust is a popular buzzword in cybersecurity and federal IT, but still it is fraught with confusion. Sometimes it's misunderstood as a tangible product or a tool, but rather zero trust is a philosophy and approach to cybersecurity rooted in the idea that no users or devices can be trusted and all must be constantly verified in order to gain access to a network or IT system.
What is zero trust?
Stephen Marsh, an associate professor at the University of Ontario Institute of Technology, conceived the term “zero trust” in a paper on securing IT systems in 1994. The term gained popularity in 2018 when the National Institute of Standards and Technology (NIST) released a special publication titled “Zero Trust Architecture,” which outlines the basic principles of a zero trust approach to cybersecurity that the IT community understands today.
“Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources,” according to the NIST publication. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
Microsoft describes zero trust as a new security model that “effectively adapts to the complexity of the modern environment,” which includes cloud-hosted platforms and networks and mobile users.
“At its core, [zero trust is] taking a lot of principles that have been around for a long time and implementing them well, for a change,” said former U.S. Customs and Border Protection CISO Alma Cole at the RSA Conference in April. “You're talking about taking that security principle of least privilege access, rolling that out, and actually implementing that in a comprehensive way across your environment and users.”
The Department of Homeland Security, especially the Cybersecurity and Infrastructure Security Agency (CISA), aggressively pushes zero trust adoption at federal agencies to better secure federal networks. NIST and CISA lead the federal IT community in zero trust education, research, and support.
What does zero trust mean for contractors?
President Joe Biden's cybersecurity executive order requires federal agencies to come up with a plan to shift to the zero trust model of cybersecurity within 60 days of the order, which was July 11. The executive order charges the head of each federal agency with implementing a zero trust architecture at their agency and providing a report on their progress to Acting Director of OMB Shalanda Young and Assistant to the President for National Security Affairs Jake Sullivan by July 11.
Many IT vendors working with the federal government have already adopted a zero trust approach to cybersecurity, but now zero trust is an imperative. Federal contractors will need to ensure they're developing IT solutions consistent and compatible with a zero trust approach to cybersecurity.
What is the industry perspective on zero trust?
In many ways, industry has led the way in zero trust implementation. Top IT and cyber vendors like Microsoft, CrowdStrike, IBM, Forcepoint and Palo Alto Networks provide their own zero trust explainers for clients curious about their zero trust approach.
According to a 2020 Cybersecurity Insiders Zero Trust Progress Report, 72% of IT organizations plan to assess or implement zero trust practices in 2020, although 47% are “not confident” in applying a zero trust security model to their business processes, compared to 53% who are confident.
Which federal agencies have deployed zero trust architecture?
Most federal agencies have already deployed or are now in the process of deploying a zero trust approach to cybersecurity. See below for additional details on some federal agencies' zero trust plans.
Department of Homeland Security:
- New DHS CIO Tackles Supply Chain Risk Management, Interoperability
- Supply Chain Risk, Data Interoperability are Major Goals at DHS
- SolarWinds Opened the Door for Cybersecurity Culture Overhaul at DHS
- How DHS is Securing Data in the Telework Era
Department of Health and Human Services:
- Agencies Combat Ransomware in Digital Health
- How HHS, GSA Tackled Data Security During COVID-19
- Here Are Federal Health IT's Top Investment Areas