Information security is the most important issue in the Internet era. The concept of "zero trusts" and "zero trust architecture", which never trust, must be verified and quickly adopted.
What is zero trust?
The zero-trust security model assumes malicious intentions from users, data, and devices inside and outside the network. According to the Federal Chief Information Security Officer, because it can limit the sharing of data that is essential to the operation of many organizations, it requires the cooperation of both the technology and mission of the organization to work properly.
Zero trusts are a strategic network security model used to protect modern digital business environments. These increasing environments include public and private clouds, SaaS applications, development and maintenance, robotic process automation (RPA), and more. The zero-trust concept believes that organizations should not automatically trust anyone, regardless of whether they are inside or outside the network boundary. The zero-trust model requires that persons and individuals attempting to connect to organizational systems must be authenticated before they can gain access. The main goal of zero trusts is to reduce the risk of most organizations being exposed to cyber-attacks in a modern environment.
For most of the past 20 years, the federal government has segmented its systems and networks, but allows authenticated users to "almost see everything in it.", "If they have proper access ", you can control it freely", which is part of a larger transformation of the federal government to promote greater information sharing after 9/11. "This is very useful for information sharing. From a security perspective, this is a challenge because it is an opportunity for our opponents."
Zero trust architecture
The zero-trust architecture can help block those adversaries by adding device and location-based data and other trust indicators to standard login credentials when granting or retaining access. However, if the security framework also does not consider task requirements and other contextual data, doing so may compromise expected and important access rights.
When trust is zero, agencies will have to reassess who can access what information under what circumstances. Compared with employees who log in remotely, employees who actually work in federal agencies may have different access rights and privileges. When the role of employees (and corresponding access rights) changes, agents must also better track and update quickly.
The technology required to build zero trusts is not particularly complex or difficult to implement. What is trickier is to ensure that the agency has clear access rules. These policies and decisions "will come from the task side of understanding data and the environment, the business side." This means that CIOs and CISOs must be involved in training mission security personnel.