The evolving threat landscape and its increasingly sophisticated tactics, techniques, and procedures have highlighted the need to adjust defensive strategies significantly. Using compromising attack vectors, hackers have stepped up their focus on social engineering and the growing number of endpoints active in an environment to great and lucrative effect. As a result, the “bastion” approach to security lacks the continuous inspection required to detect threats as they bypass traditional layered defenses.
Zero Trust Architecture (ZTA) addresses this by essentially treating all entities as threats until proven otherwise. The executive order issued by the White House stresses the importance of ZTA adoption, and NIST Special Publication 800-207 provides structure to use for implementation. Yet despite the orders and guidance, moving from traditional strategies into something adhering to Zero Trust principles is not a trivial task. It requires a holistic approach to security, identity, and data management.
In this blog, we explain ZTA and what it means for federal agencies and organizations. We also share ideas about how to adhere to Zero Trust principles.
ZTA is a security framework—not a person, not a tool, not a policy. It requires a triad of people, processes, and technology; no one thing alone can get you there. ZTA enforces access and control policies rooted in context, including user attributes, roles, and locations cross-referenced with the devices and data they are accessing. Regardless of role and location, all users must be authenticated, authorized, and continuously validated for access. No verification means no access, and there are no exceptions.
ZTA focuses on access controls at various levels that include network, applications, and data, and it ensures that no one can access what they shouldn’t. Nothing is open. The controls provide verified users with “need-to-know” access at the correct level while preventing it for all others. These “never trust and always verify” actions complicate external breaches and prevent a hostile insider from entering and moving laterally throughout your environment, stealing, encrypting, or isolating you from your data.
Taking the ZTA framework into account, you can begin to enact very granular controls for your enterprise to prevent unsanctioned data alteration, exfiltration, or destruction. An example is quorum, a feature built into Cohesity’s threat defense architecture, which works like a safety deposit box that requires your key and another person or persons to open it. No single user, admin, or compromised credential can impact quorum-controlled operations or data on the Cohesity platform. You can define which critical changes, including root-level changes, need to be authorized by two (or more) individuals, making your data and the platform secure. Additionally, there is no back-door service that cybercriminals can use to circumvent these controls.
Since Zero Trust is a framework or a structure, there is no one-size-fits-all solution, and finding the resources to get started can be overwhelming. The White House published Executive Order 14028 requiring federal agencies to adopt Zero Trust cybersecurity principles, and provide an overall end goal. In response, the Cybersecurity and Infrastructure Security Agency (CISA) has provided a Zero Trust Maturity Model to help agencies with implementation of ZTA. This model is in line with Office of Management and Budget’s (OMB) Zero Trust Strategy. The Zero Trust Maturity Model is just one roadmap for agencies to reference as they transition towards ZTA.
Another example is the National Institute of Standards and Technology (NIST) Special Publication 800-20, which provides Zero Trust cybersecurity measures and guidelines. Specifically, this document provides detailed recommendations on controlling access to and protecting networks, applications, and data. The DoD is following suit. It recently announced plans to release a formal Zero Trust strategy with the goal of enterprise-wide Zero Trust implementation by 2027.
The intent from the White House, CISA, NIST, and DoD is clear. They see ZTA as the way forward to limit the effectiveness of cyberattacks while ensuring access to valuable mission-critical data and services. Therefore, federal organizations and agencies should be referring to the guidelines available to them from CISA and NIST to construct their ZTA.
Because ZTA is a framework based on constant verification of the user and their access, it must consist of a combination of products, integrations, and policies that can be tied to identities. This level of control requires tie-ins from your user identity, security, networking, and data management platforms. No single product provides that comprehensive coverage for ZTA, despite what some companies might claim.
The Cohesity platform has key components that provide data protection and help shore up your Zero Trust Architecture. File systems are set up with immutability to prevent tampering or destruction while supporting recovery if needed, and Cohesity FortKnox provides secure data isolation for critical datasets.
Zero Trust requires you to have full visibility of your networks, environments, access, and end points; Cohesity Helios provides that visibility for your data, archives, and backups and integrates with your other enterprise management and security platforms. This provides a cohesive view with control from the data to the user and back with assurances that the data will be available and secure to the right user at the right level. All of these products are built with Zero Trust in mind, but only as part of an integrated solution to help provide effective Zero Trust operations.
ZTA goes a long way toward protecting your data from insider threats, ransomware, and compromised user credentials. If you build it right, with the correct access controls, strong authentication methods, network segmentation, access restriction, and data isolation, ZTA delivers higher overall levels of security. As a result, you are better protected from user exploitation focused attacks. However, Zero Trust is not something you can set and forget.
If there’s one thing that is almost as certain as change, it’s that hostile actors will continue to mature and evolve to try to circumvent new technologies and frameworks like Zero Trust. Once a specific cybersecurity philosophy, method, platform, or solution gains popularity, these bad actors will work to break it. They share information and techniques, they even have “as-a-service” methods they can use. They constantly work to stay informed and create alternative ways to access, encrypt, and steal your agency’s data.
Therefore, you should always be aware of your vulnerabilities, the latest threats, and the newest techniques to breach your systems, environments, and databases. Fortunately, it is Cohesity’s mission to try to keep pace with the bad actors. Our data management platform is designed to help your agency protect and manage your data using Zero Trust principles, and new services and updates are added regularly to keep pace with emerging threats.
Zero Trust starts with understanding your environment. Conducting a thorough inventory of your critical data, infrastructure, applications, and services is key. You can’t implement controls on something you don’t know is there. Use guidance documents like NIST 800-207 and the Zero Trust Maturity Model to help you identify those critical assets and shape your ZTA strategy.
Putting it all together, regardless of your maturity level with ZTA implementation, there are steps that can validate what has been completed while providing a foundation for enhancement. Visibility is a continuous challenge, and Cohesity helps to consolidate silos and simplify management of your data. As it relates to ZTA, this allows for global visibility across assets to see whether they are protected or not. It also allows for tighter integration with existing security tools.
Cohesity data management and protection, built on the principles of Zero Trust, helps keep your mission-critical data safe and your agency resilient. To learn more about the Cohesity Threat Defense architecture, click here.