3 Critical Steps in Implementing a Mature & Resilient Zero Trust Architecture
In publishing the "Executive Order on Improving the Nation's Cybersecurity" in May, the White House set a 60-day deadline for agencies to develop a plan to implement a Zero Trust Architecture based upon standards and guidance from the National Institute of Standards and Technology (NIST).
To address the challenges, I sat down with Jeffrey Phelan, Chief Technology Officer for Public Sector at Rubrik. We discussed three steps agencies can take to overcome barriers and establish the level of vigilance and resiliency needed for a mature Zero Trust architecture:
1. Take a risk-management approach instead of merely checking compliance "boxes."
For too long, agencies have resorted to compliance-based cybersecurity strategies, meaning they check all of the required "boxes" for whichever regulations apply to them, and then they (falsely) conclude they're protected.
In contrast, Zero Trust is about risk management: You identify which threats are most likely to target your agency, and then the systems and data that are most critical to your mission. Next, you enforce Zero Trust authentication and other controls for your highest-priority assets first, and then work on down from there.
Many security teams allocate their resources to defending the network and perimeter, without considering the infrastructure. But the decades-old infrastructure was never designed to deal with today's adversaries and persistent attacks. "If the adversaries get through the infrastructure, then the crown jewels are a sitting duck, right?" Phelan said. "They're just sitting there. The adversaries are going to move laterally. They're going to go for credentials. They're going to elevate their credentials."
In response, a mature Zero Trust Architecture will block the adversary's freedom of lateral movement and authorization capabilities at the infrastructure level, as opposed to focusing exclusively on the network and perimeter.
3. Add a new layer of resiliency via backup and "digital twins."
This will further harden the infrastructure. Through readily available tools, agencies gain enough visibility to know who the bad guys are, and what they're going after. So we can apply risk management to identify our highest-priority assets and create "digital twins" of their environments.
Within the duplicated environment, for example, we can conduct penetration and patch testing. We can put hunting teams in there. In addition, we can move data to the environment as part of a backup protection plan. "Operationalizing the backup infrastructure especially gives organizations a very resilient capability," Phelan said, "but they're not taking advantage of it." Furthermore, WWT's customers can test operational models for resiliency in WWT's Recovery Range to further evolve and improve cyber defenses.