Different countries have different ways of ensuring national cybersecurity. Somewhere they build "golden shields", somewhere they slow down Twitter. And in the US, the Biden administration has adopted a new strategy that takes the zero-trust approach as its basis. We understand how and with what the US authorities are going to protect themselves from external hacker intrusion.
Everyone is under suspicion
This concept was first proposed in 2010 by an analyst at Forrester Research John Kindervag. Zero Trust is described in one phrase: "Never trust, always check."When using this approach, work networks no longer have trusted zones, just as there are no "external" or "internal" networks. In other words, you can't trust users, applications, or systems "just like that". Before granting access to something, you need to check the appropriate permissions. Among the companies that adhere to this approach are Coca-Cola, Microsoft, Google and others.
Previously, it was easy to protect the corporate network: the perimeter was physical and all machines were located at one point. But remote work has changed everything - now the conditional "perimeter" is scattered in different locations and getting "inside" has become much easier. In this situation, the Zero Trust approach looks like an absolutely basic thing. According to the US authorities, it needs to be implemented in order to meet the current level of development of intruders.
Specific plan
The US authorities are quite persistent and thoroughly trying to get government agencies to adopt cybersecurity systems with a zero level of trust. On September 7, the White House published a draft federal strategy for the transition of the US government to this architecture.Agencies were instructed to develop plans for the implementation of Zero Trust with specific targets and results. Here are some of them.
The country's authorities recognize that the transition of ministries and departments to the Zero Trust architecture will be a "multi-year journey" and declare in advance that they are ready to make adjustments to the documents as new methods and technologies become available.
To present the initiative and collect feedback, a website with a beautiful address was created (it would look good in a movie with a title like "Hacker Hackers") https://zerotrust.cyber.gov. Feedback will be collected until October 1.
A future without trust
It is expected that by the end of September 2024, all US government agencies will reach these results in the following five areas.Identification. Employees use a single authorization system to access their work applications. A phishing-resistant multi-factor authentication system protects employees from online attacks of any degree of sophistication.
Devices. The US government has a complete list of all devices used by agencies. This allows you to quickly detect incident locations and respond to them.
Network. Agencies encrypt all DNS requests and all HTTP traffic, and segment networks around their applications. Special attention is also paid to email encryption.
Applications. Agencies regularly and thoroughly test their applications for vulnerabilities and do not ignore external reports about them.
Data. All data is carefully categorized so that the value of each type of information is clear. Institutions take advantage of cloud-based security services to control access to sensitive data.
Gently, but not quite
The published documents repeatedly state the following: each department is at a different level of readiness, it will take a very long time to fully implement Zero Trust, and haste will only harm. Therefore, the process must be approached thoroughly.An illustration of how long this path is (and the US authorities need it) Zero Trust Maturity Model in relation to Zero Trust. Matching it is not necessary, but it is desirable. This intermediate status contains the same five goals, and for each of them it is written in detail how it should work for the ratings "traditional"," advanced "and"optimal".
Thus, the US authorities actually mean the following: "the road to a beautiful future is long and difficult, start moving towards it right now. And to make it easier for you to pass through it, here are bright flags for you, do not get lost." How effective this is, we will find out soon, because the next US election is just in 2024.
Everyone is under suspicion
This concept was first proposed in 2010 by an analyst at Forrester Research John Kindervag. Zero Trust is described in one phrase: "Never trust, always check."When using this approach, work networks no longer have trusted zones, just as there are no "external" or "internal" networks. In other words, you can't trust users, applications, or systems "just like that". Before granting access to something, you need to check the appropriate permissions. Among the companies that adhere to this approach are Coca-Cola, Microsoft, Google and others.
Previously, it was easy to protect the corporate network: the perimeter was physical and all machines were located at one point. But remote work has changed everything - now the conditional "perimeter" is scattered in different locations and getting "inside" has become much easier. In this situation, the Zero Trust approach looks like an absolutely basic thing. According to the US authorities, it needs to be implemented in order to meet the current level of development of intruders.
Specific plan
The US authorities are quite persistent and thoroughly trying to get government agencies to adopt cybersecurity systems with a zero level of trust. On September 7, the White House published a draft federal strategy for the transition of the US government to this architecture.Agencies were instructed to develop plans for the implementation of Zero Trust with specific targets and results. Here are some of them.
- fighting phishing with multi-factor authentication;
- perception of most networks as untrusted;
- traffic encryption;
- strong data protection;
- working in a secure cloud environment;
- ensuring application security.
The country's authorities recognize that the transition of ministries and departments to the Zero Trust architecture will be a "multi-year journey" and declare in advance that they are ready to make adjustments to the documents as new methods and technologies become available.
To present the initiative and collect feedback, a website with a beautiful address was created (it would look good in a movie with a title like "Hacker Hackers") https://zerotrust.cyber.gov. Feedback will be collected until October 1.
A future without trust
It is expected that by the end of September 2024, all US government agencies will reach these results in the following five areas.Identification. Employees use a single authorization system to access their work applications. A phishing-resistant multi-factor authentication system protects employees from online attacks of any degree of sophistication.
Devices. The US government has a complete list of all devices used by agencies. This allows you to quickly detect incident locations and respond to them.
Network. Agencies encrypt all DNS requests and all HTTP traffic, and segment networks around their applications. Special attention is also paid to email encryption.
Applications. Agencies regularly and thoroughly test their applications for vulnerabilities and do not ignore external reports about them.
Data. All data is carefully categorized so that the value of each type of information is clear. Institutions take advantage of cloud-based security services to control access to sensitive data.
Gently, but not quite
The published documents repeatedly state the following: each department is at a different level of readiness, it will take a very long time to fully implement Zero Trust, and haste will only harm. Therefore, the process must be approached thoroughly.An illustration of how long this path is (and the US authorities need it) Zero Trust Maturity Model in relation to Zero Trust. Matching it is not necessary, but it is desirable. This intermediate status contains the same five goals, and for each of them it is written in detail how it should work for the ratings "traditional"," advanced "and"optimal".
Thus, the US authorities actually mean the following: "the road to a beautiful future is long and difficult, start moving towards it right now. And to make it easier for you to pass through it, here are bright flags for you, do not get lost." How effective this is, we will find out soon, because the next US election is just in 2024.
