It took a while but the enterprise world seems to finally be catching on. We have been dealing with the issue of authorized access to networks since the beginning of the age of computer networks. We have tried all sorts of clever ideas yet we still run into countless cybersecurity issues related to unauthorized users accessing the network and causing lots of issues. One of the biggest issues is what is known as the “moat and castle” issue, wherein once a user is given access to the enterprise environment, the user has access to much more than they should be given access to. While this may not be a problem with trusted users (e.g. faithful and loyal employees), this becomes a huge problem when someone masquerading as the trusted user gets access. Hence the need for what we collectively refer to as “Zero Trust”.
Simply put, Zero Trust is a concept where all users and applications are constantly verified and given access to only what the user and/or application needs to perform the requisite authorized tasks and functions in a network. In the old days we used to say “trust but verify”, but in a Zero Trust network it’s more like “don’t trust but verify”.
So it seems like this is catching on. An article recently published in Venture Beat, written by Louis Columbus 2023 cybersecurity forecasts: Zero trust, cloud security will top spendings states that Zero Trust will top cybersecurity spending by enterprises in 2023. Nice!
In our last blog entry CISA Establishing Some New Goals we spoke about CISA establishing new cybersecurity goals, however in reviewing the CISA documents there does not seem to be any emphasis on Zero Trust. It is important for government agencies to keep up with the pace of cybersecurity technology in the very dynamic environment found in the enterprise world, because many of the same principles can and should be applied in the Operational Technology (OT) world. Many legacy OT devices currently operate in a completely open manner with nothing even resembling authentication, which means that a bad actor gaining access to such devices can do as they please, and you can be assured that they are aware of such opportunities. Applying principles of Zero Trust networking to OT environments would solve many (if not all) of these cybersecurity issues.
It is also important for agencies like CISA to actively support principles such as Zero Trust networking in order to encourage more growth and development in this area. We certainly see lots of financial support going to military spending, however both modern and future battles will be fought at the network level, so it seems appropriate to allocate a significant portion of such funds to cybersecurity, and Zero Trust is certainly a good place to focus.