{"id":3873,"date":"2022-03-30T16:24:19","date_gmt":"2022-03-30T20:24:19","guid":{"rendered":"https:\/\/solutionsreview.com\/security-information-event-management\/?p=3873"},"modified":"2022-03-30T18:02:38","modified_gmt":"2022-03-30T22:02:38","slug":"the-path-forward-for-zero-trust-frameworks","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/security-information-event-management\/the-path-forward-for-zero-trust-frameworks\/","title":{"rendered":"The Path Forward for Zero Trust Frameworks"},"content":{"rendered":"

\"\"<\/a><\/p>\n

As part of Solutions Review’s Premium Content Series\u2014a collection of contributed columns written by industry experts in maturing software categories\u2014Bren Briggs, the VP of DevSecOps at Hypergiant<\/a>, shares insights on what Zero Trust frameworks should look like moving forward.<\/em><\/strong><\/p>\n

\"\"The federal government must adopt the Zero Trust information security framework. This is both a new<\/span> legal mandate<\/span><\/a> as of January 2022 and a fundamental shift in our information security<\/a> model that matches the types of environments we are building and deploying today. However, it will be difficult for the government to meet its goal of full implementation by 2024. Furthermore, unless significant changes are made, the government will likely fail to adopt Zero Trust frameworks altogether, leaving agencies with a patchwork of policies and controls not much different from what we see today.<\/span>\u00a0<\/span><\/p>\n

Zero Trust as a framework emerged sometime around the late 90s and early 00s but became well known when Google began implementing their<\/span> BeyondCorp model<\/span><\/a>. In Zero Trust, the traditional model of a network enclave with a single ingress point is replaced with an identity and inventory-driven, perimeter-less authentication and authorization model where trust between devices or services is not granted implicitly. Instead, every request for network resources, from a call to a webpage to SSH connections, must be authenticated and authorized individually. This typically involves a sophisticated infrastructure composed of a robust inventory and asset tracking system, critical public infrastructure, and access proxy coupled with an authorization mechanism and rules engine.<\/span>\u00a0<\/span><\/p>\n

This architecture heavily favors public cloud deployments, like AWS, which are challenging to integrate into the traditional enclave model. In fact, the “zero trust” model and “cloud-native” philosophy are overlapping and complementary. Unfortunately, there are countless offices and on-premise deployments in the new Zero Trust mandate for which there will be no easy or straightforward migration path.<\/span>\u00a0<\/span><\/p>\n

\t\t\t

\"Download<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div><\/span><\/p>\n

Google’s published research provides a wealth of information on the realities of building and migrating to such a model for a large enterprise. Suppose the federal government wishes to implement Zero Trust frameworks. In that case, they have few organizations whose size, budget, and security requirements closely match their own and even fewer who can boast a mature Zero Trust implementation. However, the US government faces additional challenges in implementing, including low wages and recruitment challenges, changing political winds, and the often-capricious nature of federal funding.<\/span>\u00a0<\/span><\/p>\n

Historically, the federal government excels at a few things which can give them an advantage here:<\/span>\u00a0<\/span><\/p>\n