Seven or so years ago, several vendors started coining the phrase “the identity is the new perimeter.” I even used it myself. It was catchy and provocative, but my guess is that few IT security teams took it seriously. The phrase was derived from the reality that as organizations consumed more SaaS services, the less relevant the intranet was. Although less common today, back then, it was quite common for security-minded organizations to force internal and otherwise sensitive information to go through their secured networks. Looking forward, as SaaS consumption continues to move to critical mass, I suspect that the secured network strategy will continue to diminish. But what about the intranet in general? Long viewed as an area protected from bad actors, how does that paradigm fit zero trust initiatives?
Do you Dare Expose Your sensitive information directly on the Internet?
Beyond on the sheer size of the corporate VPN market, it’s clear that intranets remain strategic to typical security models. It’s with this in mind that I found this memorandum from the Office of Management and Budget so interesting. Could it be that the federal government will lead the way to identity-based security? If so, will commercial industries follow? Let’s look at the article:
“Further, Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model.”
While the phrase “should” is by no means forceful, it is worth comparing it to past mandates that start out as recommendations, graduate to policies, and eventually are backed up by audits. “Near-term” is another intentionally vague phrase quite likely designed to nudge agencies as realistic timelines are fleshed out. Nevertheless, this memorandum is thought-provoking for two reasons:
- States its objective which paraphrased is essentially the stated objectives of allowing federal staff to “access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.”
- To accomplish these objectives, it admonishes agencies to focus on their zero trust maturity model as described in CISA’s guidelines.
Think about this notable nudging these agencies are getting to make real progress towards their move to a zero trust model. The all-too-common cautionary approach is to make patchwork progress toward getting all the pieces in place without making any real progress toward achieving that model. This memorandum cuts through all that. Are you at a point where you can post your private digital resources directly on the internet or not?
How Does Your Organization Compare?
Assuming that your security team agrees that zero trust is the best approach to protecting your information from bad actors, how would your organization compare to others? The NetIQ team commissioned Dark Reading to conduct a survey to find out. As part of the project to create a State of Zero Trust report, NetIQ sponsored a survey of those directly responsible for zero trust initiatives.
About half of them being decision makers that own the priorities and control budgets:
- 23% - Security or IT directors or head of the department responsible for fraud detection or risk management
- 22% - Executives, such as CSO/CISO, Chief of threat intelligence, CIO/CTO or VP of IT or cybersecurity
The other half being those in the trenches of zero trust implementation:
- Information security department manager or staff
- Other titles: network administrator, engineer, cloud architect, security architect
All told, Dark Reading conducted surveys with over 100 respondents. Check it out to see how close these organizations are to meeting the zero trust.
October is Cybersecurity Awareness Month (CSAM). CSAM was launched by the National Cyber Security Alliance (NCSA) in October 2004 and is an annual campaign to raise awareness about cybersecurity and CyberRes, a Micro Focus Line of Business, is a CSAM champion. The NCSA urges individuals and organizations to focus on four key behaviors to keep data safe, including multi-factor authentication, a key component to achieving zero trust.