Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Think Zero Trust Applies Only to Federal Agencies? Think Again!

Published 10/07/2022

Think Zero Trust Applies Only to Federal Agencies? Think Again!

Originally published by Thales here.

In my last blog post, I explained how Federal Civilian Executive Branch (FCEB) agencies can comply with The White House Executive Order (E.O.) around implementing zero trust. These solutions do this by offering various capabilities like Bring-Your-Own-Encryption (BYOE), multi-factor authentication, and risk assessment.

Beyond the Public Sector

By nature, the E.O. covers federal agencies. But that’s not to say that it’s limited to public-sector organizations. Danna Bethlehem, Director of Product Marketing Identity & Access Management (IAM) at Thales, said she doesn’t think that federal agencies will be the only ones to use the E.O to ultimately get more proactive with their zero trust programs. She specifically cited the idea of “a trickle-down effect into different sectors, a phenomenon which we tend to see with all things regulatory.”

Here's Bethlehem with more insight:

“I anticipate the Executive Order will ultimately serve as a broad guideline for all industries,” she explained, as quoted in an article published on LinkedIn. “This will lead to alignment of industry-specific best practices and compliance requirements in years to come. This is good news, as it will lead to greater standardization across different industries in terms of their security practices. It will also help to motivate other industries not governed by specific regulations to be more proactive about implementing more effective access security.”

Why Is This Relevant?

Private organizations stand to benefit from the May 2021 E.O. and with the strategy released by the U.S. Office of Management and Budget (OMB) a few months later. They do not understand the intricacies of implementing zero trust more than government organizations. In fact, they experience just as much trouble in implementing zero trust as do those in the public sector.

Let’s examine some of the private-sector challenges now. In a previous blog post, Haider Iqbal, Business Development Director at Thales identified getting authorization from corporate leadership as perhaps the biggest obstacle in private organizations’ zero trust journeys.

“Like any other large project, it gets approved based on business numbers and confidence,” he clarified. “Prior to full approval, it can be done piecemeal. An obstacle in receiving resources for the project is the high cost. The cost is spread out across multiple business domains, including time, technology, infrastructure, and skilled personnel to manage all of the aspects. The lack of a single-source or one-time solution makes the process complicated, though not impossible. While some of these costs, such as multi-factor authentication (MFA) or endpoint detection and response (EDR), could reasonably be demonstrated to have a business return on investment (ROI), other aspects may be tougher to quantify.”

If private organizations succeed in getting the corporate authorization they need, they then must identify all the assets they want to bring into a zero-trust network. Part of this process involves mapping the communication flows between those assets. That task comes with its own challenges. Generally, it’s not something that IT can solve on its own, noted BankInfoSecurity. The organization needs to enlist the help of other stakeholders like physical security personnel and Operational Technology (OT) teams to document devices like security cameras, building management systems, and industrial control assets. If the digital readiness isn’t there, those teams might not cooperate, thus limiting the scope of any zero trust efforts going forward.

Finally, there’s still not much known about the actual impact of zero trust once it’s in place. The National Cybersecurity Center of Excellence (NCCOE) specified that “there has been no detailed examination of how a ZTA would or could impact end-user experience and behavior.” Acknowledging this ambiguity, organizations everywhere need to maintain open communication with their employees. Zero trust won’t work without the input of the workforce. In response, leadership needs to create a channel for hearing employee comments and concerns, feedback which they can then use to make appropriate changes.

How to Implement Zero Trust

It’s a complex task for private organizations to gain corporate authorization, asset visibility, and employee cooperation necessary to implement zero trust. Even then, they need to worry about the actual technical controls that go into building a zero-trust network. TechRepublic notes that IT and security need to use the principle of least privilege and access controls to segment the network so that attackers can’t use a single compromise to pivot to all other connected assets. The publication also highlights the importance of using firewalls to monitor all inbound and outbound traffic for signs of threats as well as to gather and analyze security log events so that leadership can better prepare for attacks going forward.

Share this content on your favorite social network today!