Software Supply Chain Implications for Zero Trust

Webinar - Zero Trust

Zero Trust (ZT) has been the source of hope and confusion for many organizations looking to improve and modernize their security program. 

It is not a new concept, but President Biden’s 2021 Executive Order has recently highlighted it. The order cites Zero Trust, Software Supply Chains, and SBOM as critical pieces toward better securing American institutions and people against cyber attacks.

There is wide agreement that ZT concepts lead in a positive direction toward better security. Implementing it requires fundamental changes and raises questions: How does it really work? How do I apply it? What are its implications?

In this webinar,  Jerry Hoff and Julius Musseau break down Zero Trust’s fundamental concepts and resources. Also, they looked at Zero Trust’s implications for Applications, SBOM and Software Supply Chains.

Watch it now:

 

Webinar Highlights

Concept

Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.

Put more simply, zero trust security is a way of thinking about cybersecurity that trusts no one until they can be proved worthy. This proactive approach is designed to cut down on the number of breaches that occur by preventing access to systems and data until it can be guaranteed that the user is who they say they are and that they have a legitimate reason for wanting to access the data.

Definition

ZT provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privileged per-request access decisions in information systems and services in the face of a network viewed as compromised.

Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a ZT enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

How Does Zero Trust Address Cybersecurity Challenges?

Zero trust security is an approach that addresses the inherent lack of trust in today’s networks. Because users can access resources from anywhere, companies have to rely on security measures that can’t be circumvented or ignored.

It addresses this challenge by verifying users and devices before granting access to any resource. This helps to ensure that only authorized users have access to the data they need, and it also helps to prevent unauthorized access, theft, or corruption of data.

ZT is an important part of today’s cybersecurity landscape, and it’s quickly becoming the new norm for companies of all sizes.

Strong Identity, Authorization & Data

Core Zero Trust Logical Components
Source: NIST

Which effectively means

  • Strong Authentication / Identity is paramount
  • Identity based access control for all connections
  • Encryption on all connections
  • Consistent application of security rules
  • Cloud and on prem workloads
  • Remote and on prem workers
  • Device Control / Inspection
  • Deliberate access granting / strong governance
  • Enriched monitoring

Base Pillars to build ZT

High-Level Zero Trust Maturity Model
Source: CISA

High-Level ZT Maturity Model

High-Level Zero Trust Maturity Model
Source: CISA

New Capabilities

  • Need for unified, centralized, overarching authentication
  • Need for centralized authorization & decision-making capabilities
  • Need for device information
  • Updated SOC capabilities (EDR)
  • Updated Training for Staff (design, implementation, deployment, production)
  • Internal delegation (who oversees centralized auth, authz, etc…)
  • Policy design, update, implementation (who ?)
  • Updated Governance (Many more decisions)

Implications for Application Security

  • Identity
  • Internally facing / externally facing paradigm breaking down
  • Secure connections
  • ZT is getting grouped together with new appsec regulations.

Conclusion

Zero trust security is an emerging cybersecurity paradigm that enables businesses to protect their data and resources by verifying the identities of all users, devices, and applications before they’re given access. In other words, with zero trust security, there are no trusted networks or users—everyone is treated the same, regardless of their past behaviour.

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.