In light of several crippling cybersecurity attacks that paralyzed entire companies and went to the extent of adversely affecting multiple federal agencies, the Biden administration had, on the 12th of May, signed an executive order which outlined a fresh approach towards improving the nation’s cybersecurity posture. One of the central pillars of this renewed approach is a firm belief in zero trust security. Zero trust as a security strategy is still in its infancy. Still, of late, it has come to the spotlight because of a multi-tiered continuous authentication, authorization and monitoring strategy that secures network infrastructure from a wide range of breaches.
In this context, the Executive Order was followed up with a Draft on Zero Trust Strategy, setting goals for all federal agencies to adopt zero trust by 2024. It was necessary to move to a dynamic security strategy that relied on modern security controls and understood modern networks.
The Scope of the Zero Trust Idea
Zero trust, as a concept, has constantly been evolving, and its scope of definition has been expanding to include multiple facets of data, applications, networks and identities. At its core, however, zero trust relies on the belief that no application, device or user, can be assigned any form of trust by default. It doesn’t matter whether the said entity is within or outside the metaphorical security perimeter. Every asset is to be thoroughly verified before granting access. When it comes to access, that access, too, must be granted on what is called a ‘need to know’ basis. This concept of least privilege access shouldn’t just be on paper. This means that other than what a verified entity is allowed to access, all other resources will be completely inaccessible and invisible to it.
Government entities may find it extremely tough to get into the zero trust gear, but following a methodical approach may help gradually implement the zero trust model. Here, one must keep in mind that zero trust is not limited to a set of tools/technologies that should completely replace existing tech. Instead, it is a dynamic strategy that needs to be implemented considering the current gaps in the network infrastructure and resolving said gaps before upgrading one’s security posture.
Decoding the Zero Trust Idea
Most businesses use traditional security systems, which have an authorization and access system that is pretty much similar to the railway station, and this system of excessive implicit trust has been a prime reason for cyberattacks. Once a user is assumed to be trusted, they are granted access to the whole network. So, once a device is compromised, the entire network may be potentially compromised as well. This scenario has become especially true in today’s context, with a massive increase in unmanaged work from home devices and remote employees using unsecured networks to access your applications. Thus, it boils down to the single dictum of trust: how much trust should we assign and when should we assign it?
"...zero trust relies on the belief that no application, device or user, can be assigned any form of trust by default"
The zero trust model essentially requires all users/devices to be authenticated and authorized, all access to be restricted on a need to know basis, constant monitoring and visibility of all network traffic for real-time identification of threat vectors and a continuous risk and trust assessment of every access request and the context of every access request separately.
Why Should the Indian Government Follow the USA’s Footsteps?
Indian government agencies and India Inc. have seen their fair share of data breaches over the past year. Notable attacks include the Mumbai power outage, the Mobikwik and Zomato leaks and the BigBasket and Dominos breaches. The stats are quite telling of India’s predicament with cyber-attacks and the under-preparedness of federal agencies when it comes to securing their networks.
As per IBM’s Cost of a Data Breach Report, the average cost of one data breach in India stands at a whopping $2.21m. And the average global cost of a breach in a federal agency has risen 79% over the last year, to $1.93m. But such breaches do not just extend to losses in terms of costs. A large portion of the records compromised, almost 44%, include PII, or personally identifiable information. For federal agencies like the UIDAI, despite their stringent regulatory stand, this stat becomes all the more reason to consider adopting a transformative approach to security revolving around zero trust.
Again, it must be understood here that zero trust here doesn’t reflect a single tool but a set of dynamic strategies that must be implemented to operationalize a model of continuous authentication, authorization and monitoring. As the US Federal Government’s draft reflects, this means starting with a reorientation of identity and access management policies, identification and classification of all data. Also included is an inventory of all connected devices that can access critical government information and an assessment of current security infrastructure for gaps, vis-a-vis the proposed zero trust modeled architecture that is being implemented.
The Indian Government has, over the past few years, tried to focus on security as a critical aspect of its policy, especially in light of several credible cyber-threats arising from our somewhat volatile neighborhood. The founding of the DSCI in 2008 was a step in the right direction, and the DSCI has since been instrumental in driving data security initiatives in the country. Yet, the lack of a credible updated cybersecurity policy that covers novel threats and challenges and incorporates the massive shift to the cloud and a remote work model is blatantly visible. As such, the US Government’s effort towards a transformational security model that is future-proof can serve as a guiding light for the Indian Government in formulating a future-ready, cloud-ready, remote-ready cyber policy that focuses on zero trust adoption