Biden administration’s new cybersecurity directive champions Zero Trust

It’s the year of Zero Trust. For your strategy to succeed, be sure to put digital identity at its core. Here’s why.

If you’re a student of history, you may remember President Ronald Reagan using the old Russian proverb, “Trust, but verify,” in the 1980s during his Cold War dealings with the former Soviet Union – much to the chagrin of the General Secretary of the Communist Party, Mikhail Gorbachev.

Last week, the Biden administration seemed to turn the phrase on its head by issuing a strategic directive requiring a “never trust, always verify” approach to another global threat – that of cyber-attacks against U.S. government IT infrastructure.

The president’s new cybersecurity strategy orders all federal agencies and executive departments to immediately move toward a “Zero Trust” architecture to strengthen defenses against “increasingly sophisticated cyber threats.”

According to a White House press release, “The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm.”

The release also notes that the new strategy includes a “significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication.”

What is Zero Trust?

Definitions vary, but according to a recent Microsoft report, “Zero Trust is a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and real-time response to threats.”

Which basically means it’s an approach that dismisses inherent trust – and assumes instead that networks are inherently hostile environments and should be treated as such.

It’s far from a new concept. Former Forrester Research analyst John Kindervag introduced the term in 2009, having noticed that points of entry for most cyber-attacks were not the ultimate target locations. He noted that intruders were simply exploiting vulnerable entry points and then navigating laterally through networks toward more high-value targets.

Zero Trust gains momentum

More recently, the concept of Zero Trust has quickly become one of IT security leaders’ top priorities, largely due to the rapid escalation of pandemic-related remote work (requiring access from a wider array of devices, locations, and geographies), as well as increased reliance on cloud and edge computing.

Eric O’Neill, national security strategist at VMware predicts that, “2022 will be the year of Zero Trust where organizations ‘verify everything’ versus trusting it’s safe. We’ve seen the Biden administration mandate a Zero Trust approach for federal agencies, and this will influence other industries to adopt a similar mindset with the assumption that they will eventually be breached.”

And yet, while Zero Trust may have emerged as the year’s hottest cybersecurity trend, it takes more than eliminating trust to prevent organizations from destructive data breaches.

Why your Zero Trust strategy needs an identity-centric approach

In today’s highly distributed and hyper-complex environments, digital identity has become the “new control plane.” Why? Because it’s the one thing that touches everything – and represents the attributes, credentials, and activities of the individuals, entities, and devices on your network.

But unfortunately, due to the enduring proliferation of legacy systems, outdated applications and operating systems, and aging devices not designed with security in mind, many enterprises (especially healthcare delivery organizations, or HDOs) continue to wrestle with complex and fragmented digital identity infrastructures that – in and of themselves – pose serious security risks.

As I noted in a recent Cybersecurity Insights article for CPO Magazine, implementing Zero Trust requires reducing the attack surfaces of these environments by consolidating disparate digital identity management tools – all with the ultimate goal of a decentralized identity infrastructure that enables multiple systems to map to a single user identity.

And since identity and access management (IAM) is a foundational element of Zero Trust, following an integrated digital identity framework comprising solid IAM policies, permissions, and technologies becomes critical to the success of your Zero Trust architecture.

A Zero Trust and digital identity roadmap for HDOs – and beyond

Of course, eliminating digital identity challenges and implementing Zero Trust won’t happen overnight. But by starting with the “core four” pillars in the framework described below, you’ll be well on your way to creating a digital identity based Zero Trust architecture that repels attacks and secures your organization with a forward-looking IT infrastructure you can trust.

Here are the solutions you need to get started:

1. Identity governance: Replace burdensome, slow, and error-prone manual account administration with automated, secure, role-based access to systems and applications.
2. Single sign-on: Reduce the need for passwords while improving security and supporting regulatory compliance – with no-click application access from any device, anywhere.
3. Multifactor authentication: Make security invisible to users with an auditable chain of trust across the enterprise – including remote access, EPCS, and clinical workflows.
4. Privileged access management: Protect privileged accounts against unauthorized access with an easy-to-use, yet comprehensive solution based on the principle of least privilege.

Successfully managing digital identity is important, particularly in healthcare – where time is of the essence and cybersecurity threats are dangerously heightened. And while a cybersecurity strategy based on Zero Trust surely promises a stronger, more effective security posture, it’s critical that you first address any existing digital identity management challenges as part of a larger enterprise strategy.

For more, see my article: Why We Need to Consolidate Digital Identity Management Before Zero Trust, in CPO Magazine.