Zero-Trust Security: What Architects Need To Know
Implementing zero trust may seem daunting, but it is also an opportunity to integrate more secure coding practices into your software applications from the start. Zero-trust security assumes that all traffic on your internal network is potentially malicious. Consequently, it requires taking measures to:
- Identify all devices, users, applications, and services
- Ensure that traffic goes only where it is needed, not just at the network level but also at the application level
Zero trust benefits security practitioners by providing a workable model for security systems design. Properly implemented, the design improves the safety of an organization's assets.
There is a huge interest in zero-trust security across industries and particularly in the federal government. In May 2021, the White House issued Executive Order 14028, requiring all agencies to submit a plan for implementation of zero-trust security in their IT systems. Since then, numerous agencies have produced guidance for zero trust:
- The Department of Defense has a reference architecture.
- The National Institute of Standards and Technology has issued two documents.
- The National Security Agency has published a maturity model.
- The Cybersecurity and Infrastructure Security Agency has generated a wealth of guidance on zero trust.
In a for-profit company, zero-trust can reduce cybersecurity premiums and enhance the company's overall risk profile with possible positive effects on its stock price and value. In government, improved security through zero trust can help prevent intrusions by adversarial nation-states or other enemies of the nation.
While guidance on zero trust abounds, one key question rarely arises: What problems is it trying to solve? Read the full blog to learn more.