Zero-Trust Security: What Architects Need To Know
Implementing zero trust may seem daunting, but it is also an opportunity to integrate more secure coding practices into your software applications from the start. Zero-trust security assumes that all traffic on your internal network is potentially malicious. Consequently, it requires taking measures to:
- Identify all devices, users, applications, and services
- Ensure that traffic goes only where it is needed, not just at the network level but also at the application level
Zero trust benefits security practitioners by providing a workable model for security systems design. Properly implemented, the design improves the safety of an organization's assets.
There is a huge interest in zero-trust security across industries and particularly in the federal government. In May 2021, the White House issued Executive Order 14028, requiring all agencies to submit a plan for implementation of zero-trust security in their IT systems. Since then, numerous agencies have produced guidance for zero trust:
- The Department of Defense has a reference architecture.
- The National Institute of Standards and Technology has issued two documents.
- The National Security Agency has published a maturity model.
- The Cybersecurity and Infrastructure Security Agency has generated a wealth of guidance on zero trust.
In a for-profit company, zero-trust can reduce cybersecurity premiums and enhance the company's overall risk profile with possible positive effects on its stock price and value. In government, improved security through zero trust can help prevent intrusions by adversarial nation-states or other enemies of the nation.
While guidance on zero trust abounds, one key question rarely arises: What problems is it trying to solve? Read the full blog to learn more.
Related Blog Posts
Application Lifecycle, Education, Market Intelligence, State & Local Government
According to data contained in a recent study from Pediatrics, the official scientific journal of the American Academy of Pediatrics, the number of school shootings in the United States has increased dramatically every year since the 2017-2018 school year. At the same time, school mass shootings have become increasingly deadly. Given this trend and the risk posed by security threats to students and faculty, school districts are desperate to find solutions to improve school security.
Gabriel Zighelboim
Cybersecurity, Federal Government, Market Intelligence, State & Local Government
The 2024 United States presidential election is rapidly approaching, and state and local governments are focusing their efforts on bolstering election security and ensuring the proper safeguards are in place.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cybersecurity, Education, Federal Government, Market Intelligence, Technology
Over the last few months, there have been several recent cybersecurity initiatives at the federal level, aimed at bridging gaps in K-12 cybersecurity policy and strategy.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cybersecurity, Internet of Things, IT Infrastructure, Market Intelligence
IoT and Its Impact on Infrastructure and Governance
The Internet of Things (IoT) revolutionizes how governments, organizations, and citizens interact with the physical world. This wave of interconnected devices promises a transformative infrastructure and governmental operations shift. However as the reach of IoT grows, the implications — especially related to security — become even more profound.
Dawit Blackwell
Application Lifecycle, DevSecOps, Federal Government, State & Local Government
Technology is supposed to make our lives easier. So you know something’s wrong when nearly a third of federal government acquisition professionals surveyed say their agency’s acquisition technology makes the job more difficult.
Ben Allen
Application Lifecycle, DevSecOps, Federal Government, State & Local Government
Technology is supposed to make our lives easier. So you know something’s wrong when nearly a third of federal government acquisition professionals surveyed say their agency’s acquisition technology makes the job more difficult.
Ben Allen
Application Lifecycle, DevSecOps, Federal Government, State & Local Government, Technology
Government agencies strive to lower the cost of products and services to save taxpayers money. They also aim to shorten “procurement administrative lead time,” or PALT—the time from identification of need to delivery of value—to expedite their missions without delay.
Ben Allen
Application Lifecycle, DevSecOps, Federal Government, State & Local Government, Technology
Government agencies strive to lower the cost of products and services to save taxpayers money. They also aim to shorten “procurement administrative lead time,” or PALT—the time from identification of need to delivery of value—to expedite their missions without delay.
Ben Allen
Application Lifecycle, Business Applications, Federal Government, State & Local Government
Case work is the universal working style of government agencies. Everything from handling customer service inquiries to issuing permits to responding to weather events—in short, any workflow a public sector organization handles—is a “case” that requires a systematic approach from start to finish.
Shari Ingerman
Application Lifecycle, State & Local Government, Technology
The good news is that we’ve officially moved into the next phase of the pandemic, where the White House expects the threat of serious illness to be considerably diminished. But the bad news? Nearly 18 million Americans stand to lose the Medicaid benefits granted to them during the public health crisis as eligibility determinations return to pre-pandemic guidelines.
Vishal Hanjan
Application Lifecycle, Technology
In successful federal government acquisitions, an agency’s needs are met in the most effective, economical, and timely manner. The key to meeting your acquisition objectives? Proper acquisition planning—which begins well before you write your plan document. In other words, plan first, document later.
Ben Allen
Application Lifecycle, Technology
Whether deploying a ship or a software application, a new acquisition is only as good as its requirements.
Clearly defining your requirements in the RFP results in a less risky contract opportunity, leading to more competition and lower pricing from vendors. All the nuts and bolts of the opportunity—the many small requirements that make up the larger project—need to be captured in a deliberate, methodical fashion. And for transparency into the scope of the acquisition, the complete set of requirements should be shared with all stakeholders.
Ken Valle
Cybersecurity, Federal Government, Market Intelligence, Technology
The Department of Navy (DON) recently held its annual WEST Conference, this year with a strong emphasis on cybersecurity. The conference brought together key decision-makers from the Navy, Marine Corps, and Coast Guard, along with experts from various industries and government officials. The discussions were broad-ranging, covering topics related to naval warfare, technology, innovation, and cybersecurity.
Toan Le
Cybersecurity, Market Intelligence, State & Local Government
2022 was a noteworthy year for the technology sector, particularly as it relates to cybersecurity. The post-pandemic era of modernization exposed the fragility of U.S. public sector technology infrastructure and systems, widening attack surfaces and posing additional challenges for state, local and education leaders. We have witnessed the whole gamut of continually evolving security threats, ranging from election security breaches, nation-state actors, threats to critical infrastructure, ransomware attacks, hacktivism and more.
Yvonne Maffia
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cybersecurity, Market Intelligence, Technology
“We must find fresh ways to connect forces, allies, and partners that provide an effective response to the challenge of a highly contested environment not seen in the last 20 years. Given the challenges we face today and in the future, we simply have no choice but to become more interoperable,” said General CQ Brown JR., U.S. Air Force Chief.
Toan Le
Cybersecurity
Cybersecurity Maturity Model Certification (CMMC) 2.0 is here. If your company is not prepared, the time to get ready is now, or your company may risk losing business with the Department of Defense (DoD).
The CMMC program requires cyber protection standards for companies in the Defense Industrial Base (DIB) and aims to protect sensitive unclassified information that the DoD shares with contractors and subcontractors.
Don Maclean
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet
Cybersecurity, Federal Government
The rise in a remote workforce and use of cloud-enabled business applications equates to the browser essentially becoming our office, providing access to all necessary tools, data, and communications. Threat actors understand this paradigm shift and are now utilizing Highly Evasive Adaptive Threats (HEAT) to initiate ransomware, extortion ware, and other endpoint intrusions.
HEAT attacks are the next generation of cyber threats.
Menlo Security
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The digital landscape evolves fast, and attackers are even faster. New ways to attack systems and organizations appear every day, and traditional methods are starting to fall behind the times.
Highly Evasive Adaptive Threats (HEAT) are the newest step in the digital world for malicious attackers. These attacks are unlike anything security experts have seen before and lead to some of the most devastating breaches ever seen.
In this article, we’ll explain how HEAT attacks impact companies worldwide and how Menlo Security’s Isolation Core can help protect your organization.
Heather Sweet
Big Data & Analytics, Cybersecurity, Market Intelligence
In a recent webinar produced by Federal News Network, the Director of the Environmental Protection Agency (EPA)’s Office of Information Security and Privacy, Tonya Manning, detailed the state of the agency’s zero trust and data handling postures, as well as its latest priorities. We’ll spotlight several takeaways and look at what’s to likely come down the pike for the EPA in the coming months and years.
Zero Trust Architecture
Susanna Patten
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
The term "Integrated Management Workplace System" (IWMS) was first used by Gartner in 2004 to refer to a program that could manage and integrate all business and workplace requirements into a single, centralized solution. Since then, a number of solutions have emerged with the aim of bringing together various operational and organizational areas that had previously tended to operate in isolation from one another.
Heather Sweet
Cybersecurity, Federal Government, State & Local Government
This is the second post in the Threat-Based Methodology series. The first post introduced Threat-Based Methodology and the analysis conducted by the FedRAMP PMO and NIST. That post concluded with a list of the top seven controls based on their Protection Value. This post will explore CM-6 in greater depth and explain how Devo supports the ability to meet this control.
John Allison
Cloud Computing, Cybersecurity, Technology
The development world has changed, and organizations are still adapting to developing in the cloud. Cloud native technology and containers are now at the forefront of software development, meaning that software no longer exists and operates locally. However, despite these quick advancements, cloud native application security still lags behind.
This article will cover how you should approach cloud native application security and why Snyk is the best solution for your needs.
Adam Fyffe
Cybersecurity, Education, Federal Government, State & Local Government
This three-part blog series will explore threat-based methodology and how it benefits every company with a network. The series leverages the analysis presented by the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) in conjunction with the National Institute of Standards and Technology (NIST).
John Allison
Application Lifecycle, Federal Government, IT Infrastructure, Open Source
You can spend hours scrolling down the rabbit hole of government IT horror stories, which makes the recent launch of the federal website for ordering free COVID tests that much more remarkable. The website worked, and it was surprisingly easy to use. But that success belies decades of underinvestment in digital transformation that has stifled public sector innovation and hardened the government's low-tech image. For example:
Roland Alston
Cybersecurity, Federal Government, IT Infrastructure, Market Intelligence
The heightened threat of retaliatory cyberattacks by Russia against critical U.S. IT infrastructure is prompting federal investments in cybersecurity to strengthen its cyber defense posture. The ongoing conflict in the region and the increased targeting of critical infrastructure assets will cause federal agencies to look for ways to strengthen their cybersecurity posture and redefine requirements that address cyber breaches that may occur during the coming months and years as well as drive investments into Zero Trust related tools and threat intelligence.
Dawit Blackwell
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Application Lifecycle, Cloud Computing, DevSecOps
In this post we will look at how to accelerate the development of cloud native applications, give you a snapshot of the USAF deployment of D2iQ, and provide a link to the DLT Cloud Security Assessment to see where you currently stand.
Jeff Schad
Cloud Computing, Cybersecurity, Federal Government, IT Perspective
Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.
Kevin Tierney
Cloud Computing, Cybersecurity, IT Perspective, Technology
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
David Presgraves
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Cloud Computing, Cybersecurity, DevSecOps, Market Intelligence
"We are making progress. This really is not just about technology. This is about changing our processes changing our approach to delivering and operating technology to IT systems and our cyber mechanical warfare systems as we move forward," said Robert Vietmeyer, DoD Director for Cloud and Software Modernization.
Toan Le
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
For the second year in a row, Gartner named IBM a Leader in Gartner Magic Quadrant for 2021 Cloud Database Management Systems based on its Ability to Execute and Completeness of Vision. With emergence of a single cloud DBMS market, We believe our portfolio of feature-rich, enterprise-tested offerings, bold acquisitions, and partnerships enable our clients to address the unique needs of their business, respond to the growing volume, velocity and variety of today’s data and drive more accurate data driven decisions.
Holly Vatter
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Application Lifecycle, Big Data & Analytics, Cloud Computing, Cybersecurity, DevSecOps, IT Infrastructure
This week's roundup of the latest news and insights gathered from IBM's Government Research Institute thought leaders:
Michael J. Keegan
Cloud, Cloud Computing, Cybersecurity, Federal Government, Technology
As organizations adapt to hybrid work and more and more cloud services are deployed, new service entities that collaborate and exchange data without human interaction, such as virtual machines and containers, are proliferating. The growth of these service accounts and identities and their increasing volumes of permissions, privileges, and entitlements expose organizations to new attack vectors.
Kevin Tierney
Cybersecurity
Threat Intelligence Report Shows Massive Uptick in DDoS Attacks
NETSCOUT recently released its semi-annual Threat Intelligence Report with deep insights into the notably distributed denial-of-service (DDoS) and cyber activity during the second half of 2021. The report contains troves of valuable information about the ongoing threat posed to organizations across the public and private sectors, including government agencies and other public sector organizations.
Thomas Bienkowski
Application Lifecycle, Federal Government, IT Infrastructure, IT Perspective
In the post-COVID world, the federal government spends about three-fourths of its technology budget maintaining aging computer systems including platforms more than 50 years old and even some that use floppy disks, according to a recent Government Accountability Office report.
Roland Alston
Cloud Computing, Cybersecurity, Federal Government
The Department of Defense (DoD) is taking major steps to boost cloud performance, with the promise of a tangible, positive impact on military missions throughout the world. Specifically, the Joint Warfighter Cloud Capability (JWCC) contract is replacing the Joint Enterprise Defense Infrastructure (JEDI) initiative, which was intended to establish enterprise-class cloud capabilities for the military community.
Carolyn Ford
Application Lifecycle, Cybersecurity, DevSecOps, Federal Government, IT Perspective, Technology
On the Tech Transforms podcast, sponsored by Dynatrace, we have talked to some of the most prominent influencers shaping critical government technology decisions. From supply chain to machine learning, this podcast explores the way technology advancement intersects with human needs.
In March 2022, we sat down with these government technology visionaries:
Carolyn Ford