by Kapua Iao
Article filed in
The zero trust approach to managing cyber risk
by Kapua Iao
The zero trust approach to cybersecurity is exactly what it sounds like. The objective is to trust no one automatically and to consider everyone a potential threat.
At Paubox, we have explored and welcomed the concept of zero trust when it comes to email security (i.e., HIPAA compliant email) with our patent-pending Zero Trust Email feature that comes with Paubox Email Suite Plus.
Such strong security measures are vital to all organizations that must safeguard sensitive data, such as protected health information (PHI). And after several recent high-profile data breaches, the U.S. government has moved toward adopting a zero trust cyber strategy for all federal agencies.
What is zero trust security?
Zero trust security assumes that every person and device that accesses a network is a potential threat. It requires repeated verification to access a network and/or system.
This approach is especially pertinent since some cyberattacks are caused by negligence and/or insider threats as much as external ones. The need for zero trust becomes even more apparent as threats and attacks increase and as more and more organizations shift to cloud computing.
Consequently, once past such fences (e.g., inside an office’s intranet), threat actors can easily move around a network. This is why the idea of zero trust is to minimize access using the core principles of:
- Multifactor authentication (MFA)
- Least-privilege access (i.e., privileged access management)
- Monitoring all activities
In healthcare, zero trust requires all who want access to validate their identity before receiving, sending, or viewing PHI.
The federal approach to zero trust
In March 2021, the White House began exploring new cybersecurity approaches given what some experts call a ransomware epidemic.
Then in September 2021, the White House Office of Management and Budget (OMB) released a Federal Zero Trust Strategy blueprint for all federal agencies.
The draft comes directly after the Cybersecurity and Infrastructure Security Agency (CISA) published guides on Cloud Security Technical Reference Architecture and Zero Trust Maturity Model. All three releases work together to assist agencies in implementing a zero trust approach, focusing on key outcomes and requirements.
The Biden administration is requiring federal agencies to adopt its zero trust goals by the start of fiscal year 2024. These goals are based on the Zero Trust Maturity Model’s five pillars:
- Institute enterprise-wide MFA
- Inventory all devices
- Encrypt networks
- Treat all applications as internet-connected
- Improve how data is monitored
The OMB press release quoted Clare Martorana, Federal Chief Information Officer, reiterating:
Never trust, always verify. With today’s zero trust announcement, we are clearly driving home the message to federal agencies that they should not automatically trust anything inside or outside of their perimeters.
So is it possible?
The short answer is yes, zero trust is possible (and necessary) to adopt. But the long answer comes from CISA’s Zero Trust Maturity Model: “The path . . . is an incremental process that will take years to implement.”
A shift to this complex approach means a lifestyle change and a fortifying of modern cyber defenses.
Nevertheless, such an approach is essential given today’s reliance on technology. And it doesn’t mean removing perimeter defenses as much as adding more layers to a cybersecurity framework.
According to a recent Wall Street Journal article, additional layers beyond the five pillars could mean:
- Monitoring all connections in real-time
- Tightening access controls
- Cordoning off outdated, unpatched technology
- Utilizing network segmentation
- Training employees properly
And continuing the use of perimeter defenses that do work, such as blanket outgoing email encryption and strong inbound email security that come with Paubox Email Suite Plus.
Zero trust email security
Paubox Email Suite Plus, one of our HITRUST CSF certified solutions, protects email from inbound and outbound threats. All outbound emails are encrypted directly from your existing email platform (e.g., Microsoft 365 or Google Workspace), requiring no change in email behavior.
It also offers robust inbound security tools that prevent threats like phishing emails from even entering an employee’s inbox. Instead, malicious messages are quarantined for further review under our patent-pending security feature, Zero Trust Email, which requires another layer of verification before any email is delivered.
RELATED: Why America needs Zero Trust Email
Given the rise of cyberattacks against healthcare organizations, zero trust should be adopted. Requiring user verification and authorization at each access point is an essential step to protecting an organization.
A zero trust approach to cybersecurity will keep federal agencies and all organizations safe from the costs of a data breach.