Hi All,
This document was developed by the Zero Trust (ZT) Data Security Working Group in furtherance of its directive under the Office of Management and Budget (OMB) Memorandum M-22-09, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.1 The Working Group is a joint committee comprised of members from the Federal Chief Data Officer (CDO) Council and Chief Information Security Officer (CISO) Council, as well as other Federal stakeholders.
The cyber risk landscape is continuously evolving - and our adversaries are evolving along with it. The United States is facing unprecedented threats as malicious actors advance their tactics and unlock new ways to attack our systems, including using emerging technologies, such as artificial intelligence (AI), to launch increasingly sophisticated cyber campaigns.
To counter these threats, agencies are making Federal systems more defensible by employing ZT principles - which means trust is never implicitly granted and must be continually validated.
FIGURE 1: Traditional Security vs. Zero Trust
Traditional Security
Traditional network perimeter-based security, with its assumption of implicit trust inside the perimeter, has failed to protect enterprise assets. This belief that everything is safe and can be trusted once inside actually paves the way for attackers to cause chaos through unimpeded lateral movement.
Zero Trust
Zero trust assumes that all networks - enterpriseowned or not - are untrusted and that an attacker is present in the environment. It denies default access to data and workload, continually authenticates and authorizes each access request, and monitors and analyzes the risks to the assets.
ZT moves away from the traditional approach of protecting the network perimeter - a "castle and moat" model as seen in Figure 1 - to instead assume that a network may be compromised at any time, anywhere, and by anyone. Through the ZT lens, we focus on securing the data itself, rather than the perimeter protecting it. This concept is known as "ZT data security."
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------