The pandemic has sent cyberattacks into overdrive. Hundreds of millions of attacks were initiated each day of 2020 and malware increased by 358% last year. Ryan Oliaee, senior sales director for U.S. federal and state government, Adaptiva discusses how a zero trust approach to security is becoming increasingly more common. However, it’s complicated to execute. If your team is ready to make the shift to zero trust, here are some considerations to help you get started.

It’s no secret that cyberattacks have been on the rise over the past several years. But the pandemic sent them into overdrive. For instance, hundreds of millions of attacks were initiated each day of 2020, according to recent research from Deep Instinct. The report also concluded that malware increased by 358% last year, with Emotet malware in particular shooting up a staggering 4,000%, while ransomware jumped 435% over 2019 figures.

These attacks are costly in several respects, but when it comes to the impact they have on government assets, the situation truly becomes dangerous. So how do we stop them?

 

Enter Zero Trust

IT security has traditionally been built around a perimeter approach, where internal assets are contained and guarded against outside attackers. The problem with this approach is two-fold. First, it assumes all threats come from the outside. Second, it assumes that it can stop every threat from getting past defenses; once inside the attacker can essentially roam undetected for weeks, months or even longer. This model no longer matches up with the types of sophisticated attacks we’re seeing today, and it totally collapses once you factor in the potential for employees or contractors already working inside the perimeter to wreak havoc (think Harold T. Martin IIIReality Leigh Winner and, of course, Edward Snowden).

Additionally, it is a poor fit for today’s remote work environment, where everyone is attempting to access documents, workflows, data and other assets from locations and devices that often lack the same security standards enforced on-site.

As such, a zero trust approach to security is becoming increasingly common. In contrast to perimeter defenses, zero trust assumes no one inside or outside the perimeter should be given a pass. It requires strict access controls and authentication at every level.

But it’s complicated to execute. Zero trust requires constant vigilance and the ability to rapidly address necessary access changes. It can also be a productivity drain, especially if the policies become cumbersome to maintain. For these reasons, most organizations require a phased rollout over time.

 

How To Set Up Zero Trust: 5 Considerations

If your team is ready to make the shift to zero trust, here are some considerations to help you get started:

 #1 Take Inventory: Unless you are planning to completely rip out and re-architect your present security infrastructure, which I absolutely do not recommend, you should plan to address the most sensitive resources first. To do this, you have to know what those assets, workflows, network accounts, and such are. Leadership needs to work with SecOps team members to prioritize exactly what requires added security.

#2 Determine an Access Hierarchy: Once priority assets are identified, you have to determine who gets access to what. Chances are, you are not opening up all of your applications and data to everyone; blanket access shouldn’t exist. Contractors, for example, should only have access to the resources within their immediate purview. This will take some time to ascertain and track — and you should expect such access protocols as well as authentication practices to be fluid as people frequently move in and out of positions or change projects.

#3 Consider Circumstances: With remote work now a common part of life, you also have to figure out not just what information can be accessed by whom but also where they access it and when. Are home networks ok? Hotels? What about the local coffee shops? Do users need a secure, dedicated network? Can they jump on a public network? Parameters and policies must be carefully considered and clearly defined. They also will likely depend on specific employee roles and access needs.

#4 Budget for Tools and Time: If you don’t already have zero trust tools in your arsenal, you’ll need to plan to spend for quality, sophisticated components, and capabilities that don’t impede the user experience. You’ll want products or services for identity management, asset management, application authentication, network segmentation, and threat intelligence. Automated endpoint management, while not necessary for zero trust, can also be beneficial in the sense that it can ensure endpoints are kept up-to-date and configured correctly, shutting down key entry points for bad actors both outside and inside the perimeter.

On top of this, zero trust requires constant management and the ability to react at a moment’s notice, changing controls as warranted. This takes dedicated human resources. Who on your team will accept this responsibility? Will you disburse zero trust management across existing SecOps employees, or do you need to hire? And how will this impact other IT priorities? Be sure you have the budget to cover appropriate personnel.

#5 Be Realistic: You don’t just flip a switch and turn on zero trust. It requires thought — and time — to successfully manage all of the pieces and how they function within the organization. As such, it is important to set realistic goals and timelines for implementation and for adequately training employees on new practices and policies.

Keeping all of this in mind, it is clear that building effective zero trust architecture is not easy. It requires patience, adaptability, perpetual monitoring, and adjustments. But it is worth it — at least if you want a real chance at safeguarding assets.

 

As first published in Toolbox.com