Zero trust as a driver of legislation

In many cybersecurity circles, zero trust is misunderstood or dismissed as a buzzword. However, the true science behind zero trust is an established set of foundational principles that predate the phrase. Although zero trust was developed as a marketing principle, it is an opportunity to have a discussion about protecting sensitive information, including personally identifiable information. This dialog must include legislators from across the globe to establish informed policies for national security, economic stability and civil rights.

Is zero trust just a buzzword?

It’s understandable why zero trust can be off-putting to cybersecurity executives, buyers and implementers. After all, the cybersecurity industry is littered with buzzwords that are simply new ways to express cybersecurity principles. DevOps, DevSecOps or SecDevOps (or whatever the latest iteration of this term may be) is simply a repackaging of classic software development fundamentals and best practices. Zero trust is no different.

Government has been in zero trust for years

Those who have worked in the US Government and Department of Defense (US DoD) know that resilient data in low-trust environments has been in use long before zero trust. A publication from the US National Institute of Standards and Technology (NIST) on zero trust (Special Publication SP 800-207) points this fact out. It’s also likely that other governments with advanced information management strategies and national security and intelligence gathering capabilities have adopted similar approaches that also precede zero trust.

Why a changing landscape makes zero trust terminology so important

Today, data volume, frequency and distribution have changed drastically in low-trust environments. Application programming interfaces (APIs), once an “inside baseball” term for programmers, has now become a routine expression for business architects and executives. Many organizations are shifting from B2C to B2B2C models, increasing value in the information supply chain. Distributed cloud architectures, multi-cloud services, IoT, ledgers and non-fungible tokens (NFTs) are expanding. Data in motion from data owners to consumers is growing rapidly, demanding protection as it moves from high-trust zones to uncertain or low-trust security zones.

In this emerging landscape, it’s important to understand the protection strategy, and if the framework can be summed up as a single term, the concept of zero trust is a good thing.

The importance of Zero trust in public policy

For public policy, it’s very important to have a broader understanding of zero trust. Citizens’ personal data and critical infrastructure have already been impacted by the expansion of data in motion. The Obama administration kicked off its Cloud First policy in 2011. A decade later, the US cloud program FedRAMP is in high gear, a few technical wrinkles notwithstanding. Even before Cloud First, industrial control systems (ICS) were already using internet protocols for control and communication between human operators, automated software and heavy industrial equipment.

Repeated breaches such as the Office of Personnel and Management (OPM) and the Colonial Pipeline have brought vulnerabilities to the attention of agency executives, politicians and constituents. Cyber operations attributed to Russia by Western governments have prompted the United States and NATO to warn citizens and industries about increased risk as the Ukraine conflict continues. Additionally, the EU and several US jurisdictions (California, most notably) have passed stronger legislation and penalties regarding the handling of personal identifiable information. As I mentioned in a previous article, 2022 is expected to bring expanded privacy legislation in large economies.

Zero trust can be a common framework and term for expressing the need to protect individual information and critical infrastructure. By expressing US cybersecurity policy in terms of zero trust, the Biden administration has established the zero trust concept as a foundational principle for protecting government systems. The usual political discord aside, such direct language from the executive branch usually becomes the reference for entities beyond the US government for building their cybersecurity strategies. These include US states, federal contractors and private industry in the context of public-private cybersecurity consortiums.

While this article has largely been from a US perspective, the patterns are valid for legislation in other countries. While Western governments urge readiness for adversarial activity related to the Ukraine conflict, the advice has been broad. Given this problem, zero trust is an opportunity for governments, industry and citizens to provide more specific guidance on readiness. Reference architectures, position papers (such as those that Atos has published) and enabling technologies will provide more tactical information for planning and implementing architectures to increase data resilience.

Since zero trust strategy and informed legislation can have significant impacts on national security, economic stability and individual rights, cybersecurity service providers and buyers must pay close attention to their developments.

Share this article

About the author

Dan Schaupner

Head of Cloud and Innovation, Global Digital Security Consulting, Atos

Dan Schaupner has been with Atos since 2017 and brings two decades of experience to his leadership of consulting activities.

Previously, Dan was CTO at a Washington DC risk management firm, advising the U.S. government on cloud security (FedRAMP/Trusted Internet Connection). During his career, Dan has advised business and technical leadership in many industries including finance, healthcare, higher-education, manufacturing, and others.

Dan is a graduate of the Atos Gold for Technology Leaders program, member of the Atos expert community, and provides mentorship to the Atos FUEL program for emerging professionals. Dan holds an MBA from Virginia Tech, an Engineering Bachelor’s degree from the University of Michigan, and CISSP and CISM certifications.

Follow or contact Dan