Blog

Why Security Checklists Alone Are Insufficient for the Zero Trust Era

White lines forming a closed lock, surrounded by patterns resembling a circuit board

Dr. David A. Bray is both a Distinguished Fellow and co-chair of the Alfred Lee Loomis Innovation Council at the non-partisan Henry L. Stimson Center. He is also a non-resident Distinguished Fellow with the Business Executives for National Security, and a CEO and transformation leader for different “under the radar” tech and data ventures seeking to get started in novel situations. He is Principal at LeadDoAdapt Ventures and has served in a variety of leadership roles in turbulent environments, including bioterrorism preparedness and response from 2000-2005. 

About a month ago, I had the opportunity to join AFCEA International and Two Six Technologies in a discussion about how it’s insufficient to treat zero trust architectures as just a list of different elements. We all agreed that how the different elements of zero trust are “stitched together” akin to a quilt matters immensely – it’s quite possible that organizations following just a checklist might get all the elements right yet not connect the different elements successfully. This is why relying just on checklists of security elements alone won’t achieve the necessary stitching together of different digital elements to achieve zero trust architectures.

In this post, I’d like to dive a bit more into what our zero trust era requires. Previously, I highlighted the bottom-line up front (BLUF) for senior executives in both the public and private sectors with regard to detecting foreign online message manipulation. It is sobering to realize that, partly because of the increasing availability of technologies and techniques previously limited to an exquisite subset of actors, nowadays, all types of organizations—both large and small—need to be aware that they could be a target of and possibly experience such message manipulation associated with their own brand identity. 

Alongside these risks of foreign disinformation and online message manipulation, organizations both in the private and public sectors also need to be aware of the risks of sophisticated cybersecurity attacks, including the type typically characterized as Advanced Persistent Threats (APTs) usually associated with foreign cyber threat actors where nowadays the only viable “defense” is to correctly implement zero trust architectures for the organization’s digital footprint. 

Cumulatively, zero trust architectures represent a long overdue replacement of legacy perimeter-based cybersecurity. During our recent webinar together, Two Six Technologies cited a recent paper they did that define zero trust architectures as possessing four key features: 

  1. Strict separation of duties: No administrator should have access to keys and the data they protect.
  2. Continuous authentication of identities: No more “one-time” log-in processes, both human and machine-based accounts are continuously monitored for normal vs. abnormal account activities.
  3. Least privileged access in all environments: Only those who absolutely must have access should.
  4. Never trust, always verify: No activity, whether it originated from outside or inside the perimeter, should be assumed to be trustworthy. 

From my own experiences as a senior executive in various high-profile digital environments, I’ll add a fifth feature too: 

  1. Never forget the human factor: Instrument all systems and network connections to detect, alert, and actively limit humans who either intentionally or accidentally do improper things with an organization’s data and systems including attempted data leaks.

Professionally in my opinion, number five is important because even the most well-meaning human users in an organization’s digital environment might accidentally attempt to do something with data that they shouldn’t, or they might experience a social engineering attempt to convince them to do this— especially with an organization’s financial accounts. 

As for why zero trust approaches are needed now, more than ever, stems from the success of the internet over the last three decades. We’ve watched work, and by extension, digital access to volumes of data, transition from a firewalled client-server model to now include an amorphous loosely connected “fog” of everything— to include laptops, smartphones, cloud-based services, and personal devices. This same success has created a particularly challenging digital footprint to secure from sophisticated cyber threat actors.

Most successful cyberattacks occur when a threat actor gains access to one or more of the digital keys needed to access parts of an organization’s digital footprint – with the goal of gaining administrative network privileges to allow full control to one or more systems on a network and potential access to additional systems connected to a compromised one. Such movement from system to system to gain administrative access across a network can be referred to as lateral movement. Correctly implemented zero trust architectures significantly reduce the ability of an attacker, even if they do obtain a digital key to a network element, to move laterally precisely because other systems assume no trust of other systems or accounts associated with the digital network.

Meanwhile, over the last decade, the capabilities of sophisticated foreign cyber threat actors globally have increased. Two Six Technologies’ paper references a 2023 cyberattack in which foreign actors “forged authentication tokens and gained several government email accounts, conducting espionage undetected for a month” and the 2023 leak of “classified documents about the Russia-Ukraine War on Discord, compromising missions overseas.”  

Where correcting stitching together the right elements of zero trust architectures is particularly important, especially in today’s era of cloud-based and hybrid computing environments, entails making sure that encryption keys are stored separately from data. Where organizations get into cyber-related trouble, should they experience an attempted data leak or breach, is when these two are collocated, making it easier for a threat actor to gain full access to data and systems and achieve a leak or breach. By separating encryption keys from the associated data, this mitigates the chances of a difficult day happening. Without this important implementation step, zero trust architectures may find they become overly reliant with or more elements of their distributed digital connections. 

As closing thoughts on the topic, while Two Six Technologies positions their paper on Zero Trust Architectures as being focused on assisting government agencies, prime contractors to the U.S. government, and technology providers, I’d suggest as a final bottom-line up front takeaway—especially given the rate at which cyber threat actors are targeting all types of organizations, to include healthcare organizations, utilities, and startups with valuable intellectual property—is that zero trust architectures nowadays are a must-do for organizations of all kinds given increasing challenges of digital risks globally.