US House Recommends 'Zero-Trust' Model for Insider Data Access
Federal agencies seeking to prevent another major hack of personal data must establish a "zero-trust" system that treats government employees as just as big a threat to cybersecurity as foreign attackers, a US House panel has recommended.
In addition to slamming the Office of Personnel Management over the HackerOne breach, the 231-page report by the Oversight and Government Reform Committee noted that "the zero-trust model centers on the concept that users inside a network are no more trustworthy than users outside a network.”
The report recommends that federal agencies enforce stricter controls when it comes to giving access to their computer networks by employees and government contractors. The OPM breaches, which affected 22 million people, revolved around government contractors, for instance: Two contractors that conducted employee background checks for OPM were victims of hackers themselves. Outside of OPM, the most famous example is probably Edward Snowden, gaining access to the NSA’s classified documents and other areas by virtue of his IT contractor status.
"The zero trust model … assumes that all traffic traveling over an organization's network is threat traffic until authorized by the IT (information technology) team," the report said.
Security researchers agree with the premise. According to Rick Hanson, the executive vice president of sales at Skyport Systems, “A zero-trust model is essential for not only government employees accessing their core system, but also as part of the government's overall compute platform.”
Speaking via email, he added, “Federal agencies need to rethink how users are granted trust in their systems, and design their systems this way as well. As we enter a riskier threat landscape, the model for trust needs to evolve. All trust should be earned both on the user side and the computer side—never implicitly granted."
The issue isn’t just a problem for government to solve: A recent report from the Ponemon Institute found that 72% of surveyed organizations are not confident in their ability to manage and control employee access to confidential documents and files. And, the primary cause of data breaches experienced by companies was the careless employee (56%), followed by the lost or stolen devices (37%).
“What should be concerning to C-level executives and corporate boards is that most organizations have no idea where mission-critical information is located on the corporate network, who has access and what they are doing with that information,” said Bill Blake, president of Fasoo, which sponsored the report. “Deploying DRM solutions is a first step. Beyond that, organizations must be vigilant in applying and enforcing security policies as well as knowing where the organization’s most valuable information is located at all times.”
Photo © Dima Rodionov/Shutterstock.com
Source: Information Security Magazine