What is the Zero Trust Security Model
The Zero Trust Security Model, coined just over a decade ago, is a framework organizations can use to construct or enhance their cybersecurity program. It was formulated by considering the modern-day infrastructure challenges that now consist primarily of cloud and hybrid environments — making it difficult to define precisely where a network of servers, applications, devices, and databases ends.
Zero Trust isn’t a simple turnkey solution to protecting data and technology assets. It’s a status companies and government agencies have to work for years to achieve — with each journey varying depending on the security controls, policies, and processes they already have in place. It should also be noted that while effective, many of the challenges in this framework are sparked by how new it is.
In fact, it wasn’t until August 2020 that the National Institute of Standards and Technology (NIST) published SP-800-207 — their standards guide for understanding and applying Zero Trust. Regardless of its youth, Chief Information Security Officers (CISOs) and Facility Security Officers (FSOs) should understand the guiding principles of this framework and their role throughout the implementation process.
Principles of Zero Trust Security Architecture
There are several principles involved that an organization would follow to fulfill the purpose of Zero Trust Security Architecture. The central premise of the model all comes down to having “zero trust” in your network, the devices connected to it, access requests, and most importantly — your people. In other words, you assume a breach has already occurred and that your users are your biggest liability.
Never Trust, Always Verify
Starting at the top, the “never trust, always verify” means you take into account that data-security threats come both from the inside and outside. Therefore, constant authentication requirements should be enforced whenever a user, regardless of their “legitimate” appearance, tries to gain access to a database, resource, or system.
An example of this principle in action is the enforcement of multi-factor authentication (MFA) in the form of hardware or a biometric (eye, fingerprint, etc.) in addition to a traditional password. Alternatively, it could also refer to making users re-login depending on contextual details such as session type, device, or duration between logins.
Principle of Least Privilege
Expanding on the idea of having “zero trust” in your users, the Zero Trust Security Model follows the principle of least privilege. In other words, users should only have the minimum amount of access needed to data and technology resources to handle their job duties and responsibilities. Less exposure and access points mean less risk of negligent-related compromises.
Micro Segmentation
Micro-segmentation means separating your network into pieces, segments, or sub-networks. By maintaining the assumption that your organization has already been breached, you can “limit the blast radius” of an incident by isolating it into one or a few network resources. This principle also ties in heavily with “never trust, always verify,” as dividing a network would require secure access points at each entry — hence reauthentication for each segment.
Continuous Visibility and Data Collection
Last but certainly not least, Zero Trust emphasizes network visibility, monitoring, and access control. Investing in technology that can collect real-time data and run automatic analysis helps to find behavioral patterns and anomalies — making it easy to detect if a breach has occurred.
A robust access management system and automated response tool such as endpoint detection & response (EDR) software streamline the threat neutralization process. With Zero Trust, you want to ensure you know and manage everything in your network using a comprehensive data collection system, automation technology, and access control.
The Facility Security Officer’s Role in Zero Trust
Though cybersecurity and Zero Trust could be exclusively something a CISO would handle, an FSO plays a critical role on the facility management side of data security and defending against cyber attacks. With that said, they should be well-versed in the concepts of Zero Trust and the technology and procedures they need to implement to achieve this architecture.
Principle by principle, an FSO can assist on a contractor’s journey to Zero Trust through:
- Never Trust, Always Verify: Assume all people on the premise are possible threats to your resource security. Use consistent verification measures through ID scanners, signature pads, and badge printers to prevent unauthorized access.
- Principle of Least Privilege: Follow the idea of minimizing location, system, and resource access only to those who need it for their role AND have the proper credentials and clearances.
- Micro-Segmentation: Use segmentation as a security mechanism that divides the premise into various checkpoints that require authentication at each point — ensuring threats or incidents can be isolated at any time.
- Continuous Visibility and Data Collection: Keep high levels of facility visibility by using controls such as visitor pre-registration, check-in/check-out points, access management software, and robust data analysis systems to easily track who is in your facility at any given time, what their intentions are, and their potential threat levels.
During adoption, FSOs should be coordinating with CISOs and other information-security leaders to ensure that the strategic goals, timelines, and plans to achieve Zero Trust Security Architecture are consistent and agreed upon. The physical side of data security is an essential piece of a firm’s entire security program and demands cross-departmental collaboration amongst cybersecurity, facility security, and IT management teams.
Adopt Zero Trust with the Help of MathCraft
Zero Trust is the current and future security framework for government entities and defense contractors. Implementation, however, requires processes and technology platforms that follow its guiding principles. MathCraft’s advanced access and visitor management solutions are a step in the right direction toward Zero Trust and are compliant with 32 CFR Part 117 of the National Industrial Security Program Operating Manual (NISPOM).
Contact us today to learn more about how our solutions assist FSOs throughout the defense contracting industry and how we can help you with industrial-security compliance, automation, and oversight.