Sikov - stock.adobe.com
To improve resilience, augment zero-trust models
Zero-trust models are a start, but to improve resilience, they should be augmented and extended to include verification procedures, supply chain security and open source software.
Zero trust might feel like just another cybersecurity trend, but it has been around for a while.
In 2014, hackers breached the U.S. Office of Personnel Management, exposing the confidential data of more than 22 million federal employees and contractors. The breach led the U.S. government to establish a working group on zero trust. In August 2020, NIST released a general guidance document laying out details on zero-trust network architectures.
An executive order signed by President Joe Biden in May 2021 brought zero trust back to center stage. Critics have questioned the integrity of the order and whether it a marketing ploy.
In reality, zero trust offers a solid foundation for building cybersecurity systems, but it's still in its infancy.
How to build upon zero trust
The guideline promoted by NIST is just a starting point. It emphasizes monitoring data inside and outside an organization's IT infrastructure, as well monitoring assets, including phones, PCs and computer peripherals, such as printers. Zero trust is a far cry from when we assumed firewalls protected all data and assets inside the perimeter.
In zero-trust architectures, access control systems are placed inside and outside the trusted domain. For example, part of a company's data may reside within a private cloud, while the rest lives in a public cloud. This model doesn't eliminate trust; it just says trust is no longer automatically established by a user's identity or the location of a network asset.
Zero trust starts with creating tighter access controls, stronger data governing rules and better device management. But organizations looking to become resilient should use the following three steps to augment zero trust and take it to the next level.
1. Strengthen verification procedures
Organizations should strengthen internal and external verification procedures for product development, manufacturing and any other processes or inputs needed for finished products.
Internal procedures enable companies to understand how their engineering and security models create outputs to meet designated standards. Strengthening verification procedures means that the company has met a set of basic requirements. Organizations should aim to move beyond a basic quality level, so they can exceed benchmarks set by third parties.
External procedures, by contrast, provide assurance and transparency to customers, regulators and other outside parties that a basic level of security has been achieved.
2. Improve supply chain security
Organizations should move beyond zero trust by improving supply chain security. Zero trust is concerned with network architecture, but it doesn't account for a vendor's R&D functions or the security of its controllers, batteries, displays, hard drives or other components.
To improve supply chain security, companies must ask suppliers challenging questions: How can we perform ongoing checks to ensure that a vendor is reliable and has appropriately reduced the risk associated with its products? Does the vendor participate in vulnerability disclosure and management programs? How is it handling our data? How does it transport its goods from the factory to the point of assembly?
3. Extend zero trust to open source technologies
Zero trust should extend to open source technology. It's often assumed these platforms are free from software errors because everyone can see the open source code. Despite positive reviews, open source software isn't perfect. It can contain errors, and patching services are not necessarily included with the software.
Organizations should refrain from integrating any open source software into their products without verification.
Zero trust is only the beginning
Organizations need to ensure the essentials are baked in to their cybersecurity regimes. For example, they must take stock of key assets, fortify their cloud systems and encrypt vital data. They also need to implement side policies, processes, standard operating procedures and clear lines of accountability.
Zero trust is a great strategy, but it's should be viewed as a starting point because it covers a relatively limited number of areas. Building a comprehensive cybersecurity system requires internal and external verification procedures, supply chain security and open source software. It's a lot of ground to cover, but the results are worth the time and effort.
About the author
Mika Lauhde is global vice president for cybersecurity and privacy at Huawei Technologies. In this role, Lauhde advises company executives on policy, law, regulations and broad cybersecurity trends. He is also an acting Europol cyber advisor and privacy expert. In previous positions, he oversaw global cybersecurity efforts at Nokia and served as a member of the European Network and Information Security Agency.