Cyber Security and Emerging Threats

Zero Trust Networks: A New Normal for Cybersecurity?

On May 12th, 2021, United States President Joe Biden issued a new Executive Order titled “Improving the Nation’s Cybersecurity”. Executive Order 14028 is an ambitious federal directive that aims to revamp the current cybersecurity landscape of the U.S. federal government to align it with current best industry practices. Although the directive touches on many critical cyber issues, there is one major upcoming change that will have a significant impact on how cybersecurity will be managed in the U.S. government: the Zero Trust model.

John Kindervag, a senior analyst at Forrester Research, coined the term “Zero Trust” in 2010 to describe a new cybersecurity framework that sought to change the foundational principle on which traditional cybersecurity programs were based on. In those days, conventional cybersecurity best practices revolved around perimeter security. It was a castle-and-moat approach that would trust users inside an organization’s computer network by default but distrust all those that were external to the network.

This is what some in the cybersecurity community have referred to as a “Trust but Verify” approach that places importance on a strong defensive perimeter for keeping out unauthorized users, because the industry standard at the time was to assume that cyber-attacks occurred from outside the castle walls. Consequently, cybersecurity teams used to emphasize network security tools like firewalls, access controls, virtual private networks (VPN), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS), often layering them to maximize an organization’s defence against external cyber threats.

This rigid approach, however, would soon begin to reveal its weaknesses as industries began to change their business models to adapt to the emergence of the latest disruptive technologies and market trends. The push to the Cloud, the Internet of Things (IoT), and the impact of COVID-19 in normalizing hybrid remote workplaces are among the reasons why the digital attack surface of organizations have expanded far beyond traditional network perimeters, exposing more potential security vulnerabilities and even more opportunities for malicious actors to exploit.

The cybersecurity community has also witnessed the emergence of new kinds of cyber threats over the years that are capable of bypassing even the most formidable security perimeters. High-profile cyber incidents like the SolarWinds breach and the Kaseya VSA ransomware are notorious recent examples of supply chain attacks at their apex. In this context, it doesn’t matter whether an organization had a strong defensive perimeter to begin with because the cyber attack was unknowingly delivered through one of its trusted third-party software vendors.

Kindervag’s Zero Trust model understood at the outset that there are security issues inherent in a perimeter-centric approach to cyber defence. It understood that a security model based on the old principle of “trust but verify” was outdated, especially when it came to user identity verification, as the traditional model tried to mimic how identity is proven in physical security. Though there are obvious similarities when it comes to cybersecurity and physical security, there are issues with implementing them the same way. This is because a successful authentication event (i.e. logging into a network) does not necessarily mean the user who authenticated is the user they claim to be.

For example, as a network user, you can have all the correct documentation (e.g. username and password) when you pull up to the security guard to gain access to the network, so to speak, but the difference in cyberspace is that there is almost always a wall that prevents the security guard from using your physical features to fully verify your identity. Thus, prior to multifactor authentication becoming popularized, an inordinate amount of trust was given to a user’s credentials – usernames and passwords – as the primary method for verifying a user’s identity.

This faith in basic credentials is what separated the trusted from the untrusted. It’s what made the difference between being denied access to an organization’s network versus being able to roam freely in it as a “trusted” user. This is the invisible asterisk that the “trust but verify” model neglected to properly address. And incidents like the May 2021 ransomware attack against Colonial Pipeline, which resulted from a single compromised password belonging to an employee’s corporate VPN account, are a sobering reminder of its consequences.

So what does Biden’s Executive Order 14028 propose to change in terms of implementing Zero Trust?

EO 14028 aims to revamp the cybersecurity posture of U.S. Federal Government networks by advancing towards a security model based on the principle of “Never Trust, Always Verify”. In this new cybersecurity framework, threats are understood to have origins both inside and outside an organization’s network. Implicit trust is therefore eliminated.

By eliminating implicit trust, access to network resources and assets will be granted on two conditions: that users are continuously challenged for the validity of their identities and provided the bare minimum access required to perform their jobs. This will be accomplished through a combination of granular access controls operating on a need-to-know basis, a leveraging of automated security tools, and real-time security monitoring processes to ensure that only the right people with the right permissions under the right context have legitimate access to an organization’s network resources. These measures will contribute towards mitigating the impact of cyber breaches by preventing attackers inside the network from moving around freely as they choose.

Implementing a Zero Trust security architecture framework does not mean an end to cyber breaches against U.S. federal entities. Cyberattacks targeting the government will continue to occur for the foreseeable future, and cybersecurity teams will continue to work around the clock to remediate and respond to security incidents.
Pushing Zero Trust out into the mainstream does signal, however, a resoluteness in the U.S. administration to tackle the challenge of an increasingly sophisticated and dynamic cyber threat environment. And by acknowledging that the current federal cybersecurity model is outdated and in need of substantial revision, the U.S. has taken a bold step towards creating a more secure digital future for itself.

Bryan Roh
Bryan Roh is a Research Analyst for the Cybersecurity and Emerging Threats programme at the NATO Association of Canada. He received a Cybersecurity Analyst diploma from Willis College, and a Bachelor of Arts from the University of Toronto, where he specialized in security issues related to the Asia-Pacific region. He is a former Compliance Director for the G7 Research Group and frequently publishes research work online. Bryan is also a former reservist in the Canadian Armed Forces where he developed an interest in information and national security issues.