The zero trust model of IT security has a wide range of applications from protecting government data to helping to secure election infrastructure, panelists said at the Akamai Government Forum on June 14.
“Now that I’m not with the government, I can speak a little more freely on this, but everything’s been compromised. So why don’t we just assume that everything’s been compromised, and proceed from there,” said Rusty Pickens, founder of 580 Strategies, former senior advisor for digital platforms at the State Department and former acting director for new media technologies at the White House.
“I don’t think we have any choice. With all the threats and compromises, we need another layer … to sit in there and address all these risks,” said Roger Barranco, senior director of global security operations for Akamai.
Barranco and Pickens highlighted remote VPN access as a key area to address in improving security. “We have this old-school mentality of ‘you’re a trusted individual, no distinction between government clearance level, contractor versus govie versus civilian versus intelligence community,’” said Pickens. “In talking about breaches, some of those were contractors. They shouldn’t have had that level of access.”
“It’s a significant security risk, because all you’re doing is … taking someone that’s remote and it’s as if they’re sitting inside your infrastructure,” added Barranco.
Patrick Sullivan, global director of security strategy for Akamai, pointed to his company as an example of the effectiveness of a zero trust model. He said the company eliminated passwords for its employees, instead opting for multifactor authentication.
Barranco estimated that 60 percent of cyber attacks are thwarted proactively, and said, “with zero trust in the app sec(urity) piece of it, that falls exactly into that proactive defensive posture that you have to build.”
Pickens added that even if attacks do break through, zero trust provides a defense against horizontal attacks.
“Know your infrastructure so that when you’re talking to the security experts, they can team with you faster to set that defensive profile for you,” advised Barranco.
One sector that could use the extra security is political campaigns and elections, and with the mid-term elections approaching, panelists discussed the potential for zero trust in a campaign environment.
“I don’t want to be the doomsayer, but I don’t think we’ve learned our lesson on this front,” said Pickens.
“I would liken a campaign to a startup much more than a government agency,” he said, noting similarities between the two for shorter lifespans, staff turnover, and the lack of legacy systems.
“Once that voting process is complete, what is that machine-to-machine discussion?” asked Barranco. “Zero trust helps because you’re saying ‘I’m not only not trusting people to machines, I’m not trusting machines to machines.’”
Sullivan offered some hope, noting that startups can rely on the cloud and software-as-a-service products to keep them secure. Sullivan also noted that Akamai offers its recursive DNS protection to campaigns on a pro bono basis.