What is Zero Trust and Why Do I Need It?

What is Zero Trust and Why Do I Need It?

Date: June 15, 2021

The traditional approach to cybersecurity focuses on building  walls to keep out bad actors. This was known as the perimeter and defense in depth models, which worked in the early days of the Internet, but are no longer sufficient for today’s threats. Information systems have reached a tipping point. They are increasingly complex and more difficult to secure. Similarly, attackers are more sophisticated, work in groups, use advanced tools, and have much to benefit from a successful hack. Malicious actors continue to find ways to penetrate systems and wreak havoc on legacy and emerging technologies, from desktops and mobile devices to modern virtual and cloud environments. Traditional security paradigms are unable to prevent today’s attacks, creating a need for an evolved paradigm to address the shortcomings of the perimeter and defense in depth models.

How can businesses withstand – or spring back from a sophisticated cyber-attack?

Zero Trust for Improved Cyber Resilience

Rather than protecting with a series of impenetrable barriers, organizations are pivoting to a Zero Trust strategy as the cornerstone of their evolutionary approach to cyber resiliency. Zero Trust is a set of guiding principles developed to provide least privilege per-requested access to a network, with an underlying assumption that the network is compromised. Zero Trust is not a one-size-fits-all approach to solve all security concerns but is a major shift in the right direction.

To develop a Zero Trust strategy, organizations need to start with a better understanding of their systems architecture.  To evolve into a ‘trust nothing, verify everything’ approach, this architecture is then enhanced by a customized set of technologies and processes that increases the trust level across enterprise systems for a new Zero Trust Architecture (ZTA). The good news is that many organizations already have elements of a Zero Trust solution in place as they seek to mature their ZTA.  For instance, they may have some components such as an on-premise identity management system with static rules and some Single sign-on (SSO), though they lack visibility into device compliance, cloud environments and logins. Very few organizations have networks that are split into subnetworks. Many organizations have a flat network with very little segmentation resulting in broad risk exposure.

Zero Trust embraces the “assume breach” mindset, a core component of cyber resilience. Let’s assume that bad actors can get past the wall. Stolen credentials are useless if strong multi-factor authentication is implemented across the organization. Network segmentation can prevent lateral movement if the attacker is already inside the network. Continuous contextual authorization will further aid in limiting access only to those who are authorized.  A strong Security Operations Center (SOC), incident detection and automated response capabilities are all part of a mature Zero Trust approach. Working with all stakeholders to develop a Zero Trust Roadmap is essential to achieving adoption across the enterprise.

Federal Government’s Pivot to Zero Trust

The U.S. Government is a proponent of Zero Trust implementation to safeguard that nation’s assets against cyber-attacks, which have become widespread during the pandemic. The National Institute of Standards and Technology (NIST) has responded with recently delivering new guidance in its SP 800-207, which aids organizations in how they can implement a ZTA and the Defense Information Systems Agency (DISA) will follow suit later this year. Organizations will need support as they seek to mature their Zero Trust approach that meets their mission objectives.

T-Rex provides its Federal clients with expert guidance on these NIST and DISA frameworks and leverages its experience with large-scale cyber threat intelligence, analysis and operations to support a Zero-Trust journey. Our team is working with security teams to facilitate Federal guidance as government agencies mature their Zero Trust capability.

The path to Zero Trust is unique to each organization.

Start with what your organization needs the most. Whether it’s secure access to the Internet or cloud resources, continuous multi-factor authentication, or network segmentation. Having a good roadmap in place will guide your organization on its Zero Trust journey, facilitate consensus of adoption among stakeholders and provide a rubric to measure your progress.  Zero Trust is still maturing and involves the integration of multiple layers and technology.  Working with an industry partner can facilitate and support this journey so that your systems can be flexible, resilient and withstand the attacks.

Call us today, to get started on your own Zero Trust journey!


recently posted
Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zero Trust Lift: Network Visibility and Analytics Maturity using Zeek

Zeek is a proven open-source network visibility and analytics tool that you can leverage to increase your agency’s Network Visibility and Analytics Capability maturity under CISA’s Zero Trust Maturity Model Version 2. Zeek (https://zeek.org, formerly named Bro) is a network […]

T-Rex is Hiring at Hill Air Force Base

T-Rex is Hiring at Hill Air Force Base

Since 2016, T-Rex has been supporting large scale hybrid-cloud migrations and systems modernization, to include the successful deployment of the first-ever online U.S. Census in 2020. We are excited about expanding our IT Modernization services within the National Security market, […]

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Secure by Design and Zero Trust: Integrating Supply Chain Risk Management with DevSecOps

Agencies are seeking innovative ways to mature their Zero Trust posture. In this article, we have focused on improvements to your DevSecOps to increase maturity in two pillars: 1) Devices and Applications and 2) Workloads.

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

Protecting Government Apps and Workloads from Zero-Day Cyber Threats

In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements. In this article we consider Application Threat Protections security levels within the Applications and Workloads […]