A strategic shift from perimeter-based security toward a more zero trust approach needs to happen in order for network security to adapt to new threats and changing technologies, according to one industry expert.
In a recent episode of “Government Matters,” WashingtonExec Cybersecurity Council Chairman and President of Cyxtera Federal Group Greg Touhill discussed the changes in zero trust security strategy. Zero trust networks are “an acknowledgment that you can’t trust anybody on the outside of your networks, and you can’t trust anybody on the inside of the networks,” he said.
Zero trust security places an emphasis on requiring verification for people trying to access information regardless of whether they are inside or outside a particular network. This security protocol is different from the traditional “castle and moat” approach that makes an entire network’s information available to whoever gains access.
A strategic change needs to be made regarding our approach to network security because the traditionally protective perimeter is “gone… the real perimeter is the individual,” said Touhill, who previously served as the nation’s first chief information security officer.
He believes the zero trust strategy is best suited to protect networks but warns that we look at the “people, process and technologies” when implementing it. Virtual Private Networks are outdated and they, along with other old technologies, “need to go,” Touhill said.
“VPNs are clogging the firewalls and taxing our already-stressed cyber workforce,” he said. “I think if you do it right, you can lessen the impact on the personnel.”
The implementation of zero trust, Touhill points out, must begin with authenticating personnel and their roles. Once this happens, people should only have access to the data and information they are authorized to see. This practice is called “least privilege,” which Touhill defines as “where you can only see and do what you are authorized to do.”
Achieving the micro-segmentation of networks down to the individual level is the “acme of skill with zero trust,” as it allows for stronger security within a given network, he said.
While the government at the turn of the millennium was at the forefront of security research, it’s now falling behind and needs to be using the best practices to implement security models, Touhill said.
Government partners should recognize “the perimeter is dead,” and “we need to take the zero trust security strategy, take an identity-centric approach and pick tools that are going to simplify our environment, reducing our overhead costs, and the burden on our people, and getting our people that are using their systems to do it more securely,” he said.