In the aftermath of the massive U.S. Office of Personnel Management data breach in 2015, then-Rep. Jason Chaffetz came out with recommendations that all government agencies adopt a “zero-trust” approach to cybersecurity. That concept was based on a model created by John Kindervag, a vice president and principal analyst at the time with Forrester Research, and now field chief technology officer at Palo Alto Networks.
In a new CyberScoop podcast on next-generation security platforms, Kindervag explains what distinguishes zero-trust network security from other holistic security models and what enterprises and agencies can do to embrace it more fully to their networks.
“The thing that distinguishes zero trust is we focus on the fundamental problem we have in cybersecurity today,” says Kindervag. The problem? The traditional trust model networks have relied upon is broken.
“The trust model we have – that all users external to the network are untrusted and bad, and all users internal to the network are trusted and good – is the source of all cybersecurity badness,” he says. It allows “bad actors [to] get this thing called trust, through the giving of privileges,” which results in trust becoming a vulnerability itself. He argues, “We need to mitigate it like every other vulnerability in our organization.”
Enterprises and agencies need to “realize how phenomenally dangerous [trust] is to the health and safety of our cyber-systems,” he adds.
Kindervag also explores how “single-pass prevention architecture” – which applies security policies up front instead of along each traffic hop – can streamline network security up and down the network stack. It has the added benefit of reducing latency and improving network performance, he says.
The idea behind zero trust is to move beyond traditional tactics, such as defense-in-depth. Often times, “All you’re doing is spending money you didn’t have on things you didn’t need because you didn’t know what you were supposed to protect in the first place,” he says.
“We have to have a grand strategy in cybersecurity. We don’t have it yet. And I would suggest to you that the grand strategy in cybersecurity must be to stop data breaches.”
Read more about embracing zero-trust network security and how single-pass prevention architecture can improve network security.
This article and podcast were produced by CyberScoop and sponsored by Palo Alto Networks.