Zero trust model
The shift to the internet as the network of choice and the continuously evolving threats are leading us to adopt a zero trust security model.
Cybersecurity Executive Order
On May 12, 2021, President Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. This is in response to several recent events like the Solarwinds, Microsoft Exchange and Colonial Pipeline cybersecurity incidents.
The recent Kaseya event certainly falls into this category as well. The public and private sector entities continue to witness increased sophisticated malicious cyber activity from both nation-state actors and cybercriminals. These new policies and standards will apply largely to federal government agencies but there are still important implications for companies that do business with the federal government and for the private sector in general.
There are two sections that I feel are most important to our community banks:
- Removes barriers to threat information sharing between the government and the private sector. The Order removes certain contractual barriers that prevent information technology service providers from sharing information about cyber incidents with government agencies with which they contract and requires the IT service providers to promptly notify such agencies of a cyber incident involving the software and support-related products or services they provide.
- Improves software supply chain security. The Order requires all software purchased by the federal government to meet, within six months of the Order, a series of new baseline security standards, which includes requiring developers to maintain greater visibility into their software and making security data publicly available.
Read the entire Executive Order on Improving the Nation’s Cybersecurity from The White House at https://bit.ly/CybersecurityExecOrder.
Zero trust model
Cloud-based services, mobile computing, internet of things (IoT) and bring your own device (BYOD) in the workforce have changed the technology landscape for our community banks.
Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to corporate technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.
The shift to the internet as the network of choice and the continuously evolving threats are leading us to adopt a zero trust security model. Every transaction between systems (user identity, device, network and applications) must be validated and proven trustworthy before the transaction can occur.
Zero trust principles
- Verify explicitly — Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification and anomalies.
- Use least privileged access — limit user access with just-in-time and just-enough-access, risk-based adaptive policies and data protection to help secure both data and productivity.
- Assume breach — Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection and improve defenses.
If you are interested, Microsoft released a free zero trust readiness assessment tool. In time, you will learn what I did: zero trust is something that sounds very complicated but is very achievable and we are a lot closer to this model than many other industries. You can learn more about the assessment tool at https://bit.ly/MSZeroTrustAssess.