Lessons In Zero Trust Security

When it comes to the increasingly perilous frontier of cyber threats, no one is in the fight alone. But as officials at the Pentagon learned, a solid team defense doesn’t make you exempt from the benefits of Zero Trust, a perspective on cybersecurity that holds everyone accountable regardless of role.

When it comes to the increasingly perilous frontier of cyber threats, no one is in the fight alone. But as officials at the Pentagon learned, a solid team defense doesn’t make you exempt from the benefits of Zero Trust, a perspective on cybersecurity that holds everyone accountable regardless of role.

In the midst of the COVID-19 pandemic, civilian organizations and federal offices alike have moved to conduct business remotely, a transition that involves countless risks devoted readers of our blog will be familiar with. But how exactly do you go about ensuring that your team will employ best security practices from home?

The answer, as it turns out, is the Zero Trust Cybersecurity Model—a method of thinking that assumes no one, inside of or outside a network, administrator or independent actor, is trusted by default. Instead, the network requires multi-factor verification for any and all users to access parts of the network.

Zero Trust cybersecurity is crucial in the face of hackers who can steal credentials, impersonate system administrators, and award themselves higher levels of access. The U.S. Navy’s top cybersecurity official admits they took a calculated risk in allowing service members and employees to use their personal devices to conduct normal business during the pandemic, but those vulnerabilities are exactly what Zero Trust accounts for.

Siloed Approaches & Internal Risk

For officials at the Pentagon, meeting in the virtual world isn’t a new concept. Flag officers and senior civilians would frequently convene via teleconferencing. Now the age of remote work, meetings for employees of all levels using software like Zoom, Microsoft Teams, and Crowdcast have become routine.

Yet prior to the pandemic, government leaders were slow to deliver on solutions for potential vulnerabilities. The Center for Enhanced Cybersecurity at the Government Accountability Office (GAO) reports that cybersecurity took a worryingly low position on agencies’ list of priorities, and as a result, threat assessment was suffering to a dangerous degree.

In one instance, the GAO surveyed 26 cyberattacks on a variety of federal agencies and found that ultimately, none of the agencies could trace the attacks to their points of origin. An equally concerning amount of “intrusions” were believed to have come from inside the agencies themselves, but those traces also remained incomplete.

The problem, the GAO determined, was that the federal agencies’ cybersecurity practices were limited in scope. As opposed to the Zero Trust model, which applies to all users inside and outside of a network, there were no safety protocols in place that could protect the agencies’ systems as a whole.

To this day, the GAO stresses that the most common modes of attack malicious actors employ against the government are also the simplest: service members and employees clicking on unknown hyperlinks, failing to frequently change their passwords, and ignoring network patches can result in the most egregious attacks.

On the other hand, implementing a Zero Trust policy has a higher likelihood of stopping these attacks at the source. Gaining access to employees’ contact information, or impersonating a colleague, becomes a far more difficult task when access to that information is guarded by multi-factor verification.

The Right Stuff

When you share accountability, you acknowledge that cybersecurity is a team effort. As an organization with an investment in keeping your sensitive data secure, you want only the best of the best on that team—which is where BAI Security comes in.

With a dedicated force of exceptional in-house IT security experts who have worked for top-level security organizations (FBI, Pentagon, State Department, etc.), we go above and beyond to put the right tools in the right hands. Unlike general IT or consulting companies with outsourced staff, BAI lives and breathes IT security, with assessment and compliance as our singular priority.

We understand that when it comes to securing your systems, you’re looking for long-lasting, big-picture solutions. To take the next step toward protecting your data and contact us today.