COVID-19 Should Prompt Enterprises to Move Quickly to Zero Trust 

Andrii Yalanskyi/Shutterstock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Ellen Sundra,
Vice President, Forescout Technologies

By Ellen Sundra

|

While implementing zero trust architecture during this period of coronavirus-caused disruption is unlikely, agency leaders can take some steps to build some of the foundational capabilities necessary.

COVID-19 makes organizations confront the reality that their network boundaries no longer end with their own infrastructure but now extend to employees’ homes. Underscoring this is the Office of Management and Budget’s request that federal agencies “offer maximum telework flexibilities to all current telework eligible employees, consistent with operational needs of the departments and agencies.” To maintain continuity of operations, government organizations must move toward a new network security paradigm that distrusts all devices and users and denies them access to network resources until they have demonstrated the requisite level of security and authorization. That strategic initiative is called “zero trust.” 

Zero trust models, according to the National Institute of Standards and Technology, “assume that an attacker is present on the network and that an enterprise-owned network infrastructure is no different – or no more trustworthy – than any non-enterprise owned network.”

In 2019, the Department of Labor’s Bureau of Labor Statistics estimated that in 2017-2018, approximately one-third of wage and salary workers were able to and do work from home. In light of the recent COVID-19 pandemic, however, the number of those teleworking far exceeds this estimation and is growing daily according to news reports. Contrast this higher demand with another 2019 study showing close to 50% of remote employees admit to using applications or software not approved by their companies and it is easy to see how the effects of a crisis like COVID-19 extend across agencies. To better protect federal and contractor resources and information as traditional location or perimeter-based defenses become less effective, enterprises should consider security principles like zero trust that assume complexity and anticipate diversity. Security strategies built upon zero trust principles consider factors such as varying types of employees that are working (e.g. full-time employees, contractors), the devices that are utilizing the network (e.g. laptop, mobile, internet of things), and the methods by which access requests to information resources are made. 

At the heart of zero trust is the goal of “preventing unauthorized access to data and services coupled with making the access control enforcement as granular as possible.” In order to achieve this vision, several technical elements are necessary, and it is important to note that a single commercial tool or technology will not be able to deliver all capabilities. Per NIST, the logical elements of zero trust include: policy engine, policy administrator, and policy enforcement point. Several data sources are necessary to provide input to these policy-based mechanisms which will feed the trust algorithm that ultimately determines whether to grant (or deny) access to information resources based on the level of evaluated trust of the endpoint/user combination. NIST categorizes the types of input as: access request; user identification, attributes and privileges; asset database and observable status; resource access requirements; and threat intelligence.

The integrity of the data yielded in answer to these questions lies at the heart of a successful zero trust architecture and forms the evaluated trust that is used to grant (or deny) the access request. To that end, a dynamic and accurate accounting of users, connected devices, their attributes and hygiene, and configurations are foundational to zero trust architecture. While implementing zero trust architecture during this period of coronavirus-caused disruption is unlikely, agency leaders can take some steps to build some of the foundational capabilities necessary to implement zero trust. A good way to begin is by asking how your organization determines: 

  • What is connected? What devices, applications, and services are used by the organization? This includes observing and improving the security posture of these artifacts as vulnerabilities and threats are discovered.
  • Who is using the network? What users are part of the organization or are external and allowed to access enterprise resources?
  • What is happening on the network? Agencies need insight into traffic patterns and messages between systems. 
  • How is data protected? Federal and contractor teams must enforce policies on how information is protected at rest, in transit, and in use.

To answer these questions, organizations must have the capability to continuously detect, profile, determine required authorization, evaluate the security posture of, and enforce policy-based controls on all connecting devices. They must be able to do this for traditional information technology devices as well as non-traditional operational technology devices, including building automation systems, industrial controllers and other mission-supporting devices. Further, organizations should be able to monitor and analyze communication patterns between specific departments, devices or groups of devices, offering a comprehensive understanding of device behavior, and the ability to enforce policies across all network environments (campus, cloud systems, data centers, and VPN/remote networks). 

Initiatives like the Continuous Diagnostics and Mitigation and Comply-to-Connect programs for civilian and defense agencies, respectively, are good examples of zero trust-based strategies beginning with the above, four fundamental questions. 

Employees are increasingly enabled to work from home by a variety of software applications and increased network functionality. But accessing corporate resources from home, even with the best planning, can introduce risk. COVID-19 will not be the last thing to disrupt normal federal operations, but greater reliance on zero trust principles in cybersecurity will help agencies fulfill missions, enhance preparedness for future physical and IT contingencies and yield greater metrics for continually adapting defenses over time.

Ellen Sundra is vice president of Global Systems Engineering at Forescout Technologies.

NEXT STORY: Society's Dependence on the Internet: 5 Cyber Issues the Coronavirus Lays Bare

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.