As we continue through Cybersecurity Awareness Month, federal agencies march towards Zero Trust deadlines, and the attack landscape remains as ripe and fruitful as ever — Zero Trust continues to make headlines.
Here are a few of the stories, perspectives, and opinions on Zero Trust that stood out to us most this month.
“It’s one of the biggest trends in cybersecurity, and also one of the hardest to define,” writes CRN reporter Kyle Alspach at the start of his slideshow article on Zero Trust.
As part of CRN’s Cybersecurity Week 2023, Kyle talked to some of the most well-respected, expert voices in the space to break down some of the most common pitfalls, challenges, and opportunities that Zero Trust presents.
“The No. 1 thing that people stumble with, and the biggest issue, is they try to go too big, too fast,” Illumio Chief Evangelist John Kindervag, the Godfather of Zero Trust, explained. “They try to do it for their entire company, or their entire organization, and you can’t scale it that way. Cybersecurity is a massive problem. What zero trust does is it breaks it down into bite-sized, manageable chunks.”
Kyle goes on to explore the massive channel opportunity that remains for Zero Trust, the challenges presented by the cloud, and counters the notion of a Zero Trust “silver bullet.”
"For those who haven’t already heard this a hundred times,” Kyle writes, “No, there isn’t any one single product or technology that can single-handedly deliver zero trust.”
Instead, organizations require a customized, incremental approach.
The Department of Defense (DOD) is working to ensure that U.S. federal agencies make good on their Zero Trust plans.
According to DefenseScoop reporter Mark Pomerleau, “The services and other DOD components are due to submit their proposals to the Pentagon’s zero-trust portfolio management office by Oct. 23, a congressionally mandated deadline that will come a year after the department released its zero-trust strategy.”
Randy Resnick, Director of the Zero Trust Portfolio Management Office within the DOD Chief Information Office, explained that officials plan to “spend the next four to six weeks, probably six weeks, analyzing every one of those plans and measuring the success of those plans on whether or not they’re giving us the information so that we know every single component is going to be hitting target-level zero trust or higher by fiscal ’27 or earlier.”
According to Pomerleau, Resnick anticipates that 80 to 90 percent of DOD components will likely meet or exceed expectations, while others may require additional work to comply with certain aspects.
A compelling perspective on how to elicit maximum value from your Zero Trust projects. CSO contributor Michelle Drolet explains, “Breaches are inevitable — locking windows and doors alone is not enough.”
To make good on your Zero Trust applications, Drolet recommends that security teams leverage tools like microsegmentation to prevent lateral movement across environments, deploy fine-grained user access to reinforce least-privilege access, and keep user experience in mind when applying new controls and solutions.
“...If organizations follow best practices and focus on getting the architecture and user experience right, they will certainly build a more resilient cybersecurity posture, which is the need of the hour,” Drolet writes.
A comprehensive take on the evolution of the Zero Trust market and where the industry’s headed.
In this episode of Forrester’s “What it Means” podcast, Forrester Principal Analyst David Holmes sheds light on the industry adoption shifts that he’s seen in Zero Trust over the years. When speaking to what the future holds for Zero Trust adoption, David shares, "We’re going to see more systems built around Zero Trust. And we’re starting to see this already today.”
Looking specifically at the changes to come in the next 3-5 years, Holmes explains, “The cool thing is the architectures that are being built are going to have much more Zero Trust in them. And that’s fantastic... We're going to have to have systems that aren’t just Zero Trust by design... But they’ll have to be Zero Trust by default.”
That’s all for this month. We’ll be back with more Zero Trust stories soon!
Operationalizing Zero Trust – Steps 2 and 3: Determine Which Zero Trust Pillar to Focus On and Specify the Exact Control
Workload protection encompasses many security capabilities including, but not limited to, effective securing and patching of the OS and any installed applications, host-based threat protection controls such as antivirus, EDR, file integrity monitoring, host-based firewalling, etc.