Zero Trust becomes an essential weapon against cyber attacks

Specialists from the US military increasingly believe that a tiered approach is necessary to combat the latest generation of cybersecurity vulnerabilities.

The latest high-priority effort is implementing the White House-mandated Zero Trust (ZT) Environment framework. The DoD aims to roll out the first-generation architecture for this concept in December 2021, putting it on the road to implementing ZT in the years ahead.

As developed by the US National Institute of Standards and Technology (NIST), ZT means that a given organisation does not inherently trust any user. Trust must be continually assessed and granted in a granular fashion.

In guidance released in February 2021, the National Security Agency stated that the ZT security model ‘eliminates implicit trust in any one element, node or service and … assumes that a breach is inevitable or has likely already occurred. It deploys comprehensive monitoring, granular risk-based access controls and security’.

At an invitation-only event attended by Shephard in October, speakers discussed how to elevate cybersecurity with ZT across military and other federal government networks.

Keynote speaker MG Matthew Easley, head of cybersecurity and Chief Information Security Officer in the US Army,  said that ZT automation protocols would help make prevention and detection ‘stronger and more cost effective’.

‘Attackers are moving up the stack into the application layer itself’— MG Matthew Easley, Chief Information Security Officer, US Army

The new model would be required before cybersecurity-related tasks are undertaken, he added. ‘The system can then build upon that trust as you work with it.’

Easley said that ZT is anything but ‘an abstract academic concept’, being ‘a critical [construct embracing] the realisation that we need a layered systems engineering approach’ to proliferating dangers from malware to ransomware.

A ZT framework is needed because ‘the IT landscape is changing dramatically’ and the US Army network ‘is now much more porous’, he added, with a large portion of the workforce operating remotely.

‘The attacks now are much more complex and automated,’ Easley emphasised. ‘The locations have changed. Attackers are moving up the stack [from easier-to-defend lower tiers] into the application layer itself.’

With ‘easy to use scripts,’ machine-learning and AI tools available to independent hackers and state-backed groups, electronic assaults are becoming ‘easier and easier to execute,’ he warned, especially with traditional logins being ‘easily purchased on the dark web’.

The tiered approach at the root of the ZT paradigm for the US military is nothing new; it has been used for years in the financial and banking industries, for instance, with credit card controls and multi-factor authentication.

Everything ‘begins with the individual,’ Easley concluded, ‘which is why multi-factor authentication and [classical, current] public-key encryption are so important.’