Originally Posted by Forbes – via forbes.com – February 18, 2021

Security by Design, Defense in Depth, Zero Trust

Our digital world is under assault, and we need to urgently upgrade our defenses. In the past couple of years, the digital attack surface has vastly expanded from a move to remote work, from more people coming online, and from more interconnectivity of PCs and smart devices around the globe.  Simultaneously, criminal enterprises and state actors have taken advantage of the lack of visibility and security administration. They are sharing resources and tactics over Dark Web forums and are growing more sophisticated and capable of using advanced hacking tools that enable them to discover vulnerable targets to infiltrate malware and automate attacks.

The recent Solar Winds breach that circumvented cyber-defenses of numerous countries and most of the Fortune 500 companies was yet another wake-up call to the overwhelmed cybersecurity ecosystem incessantly being bombarded by phishing, ransomware, spoofing, and Distributed Denial of Service attacks. By 2025, the research firm Cybersecurity Ventures estimates that the cost of cybercrime will amount to $10.5 Trillion from multi-vector breaches. Cybercrime to Cost the World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)

Also, we are also in a state of cyber-flux. Many companies and institutions are in the process of moving away from legacy systems to Cloud, Hybrid Cloud, and Edge Platforms to consolidate and secure data. Emerging technologies such as the Internet of Things, Machine learning & artificial intelligence, and 5G are creating operational shifts that will require new cybersecurity requirements. Exacerbating the cybersecurity challenge is the global dearth of qualified cybersecurity workers and expertise available to help defend the data at risk.

The 2021 World Economic Forum Global Risks Report sums up our cyber predicament: “Business, government, and household cybersecurity infrastructure and/or measures are outstripped or rendered obsolete by increasingly sophisticated and frequent cyber-crimes, resulting in economic disruption, financial loss, geopolitical tensions and/ or social instability.“ The Global Risks Report 2021 | World Economic Forum (weforum.org)

As cybersecurity gaps abound, there has been a growing panic in both industry and government on how to protect the cyber landscape. In the past, three significant risk management themes have been put forward to help ameliorate the digital risk ecosystem including: security by design, defense in depth, and zero trust. They are a triad, or three strong pillars of risk management needed for a successful cybersecurity strategy.

Security by Design is really the initiation point of a risk management process—especially if you are a software or hardware developer concerned with security. In an article in United States Cybersecurity magazine, cybersecurity expert Jeff Spivey provided an excellent working definition: “Security by Design ensures that security risk governance and management are monitored, managed and maintained on a continuous basis. The value of this “holistic” approach is that it ensures that new security risks are prioritized, ordered and addressed in a continual manner with continuous feedback and learning.” Security by Design | United States Cybersecurity Magazine (uscybersecurity.net)

Defense in Depth. A variety of strong definitions exist for defense in depth in the security community.  A NIST publication defines theDefense-in-depth concept as “an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is ‘deep’, containing many layers of security, and ‘narrow’, the number of node independent attack paths is minimized.” Measuring and Improving the Effectiveness of Defense-in-Depth Postures | NIST

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud- based assets that are not located within an enterprise-owned network boundary. Zero trust focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Zero Trust Architecture | NIST

Zero trust is the newest of the pillars and has not received the investment or focus of the others. Both industry and government are prioritizing this approach. In government, the Department of Homeland Security is leading the civilian side of exploring and optimizing the zero-trust approach. On the defense and intelligence side of government, a zero trust pilot is being undertaken as a joint effort with The U.S. Cyber Command, the Defense Information Systems Agency, and the National Security Agency where they are lab testing various technologies. According to Neal Ziring, the technical director for NSA’s Cybersecurity directorate, “The team has been able to demonstrate the effectiveness of zero trust at preventing, detecting, responding and recovering from cyberattacks,” DHS, NSA creating reusable pieces to zero trust foundation | Federal News Network

When Security by Design, Defense in Depth, and Zero Trust are combined, cybersecurity becomes stronger. Security by design monitors, manages, and maintains the security process.  Defense in depth enables layers of redundant protective security measures to help deter data breaches.  And zero trust focuses on protecting resources (assets, services, workflows, network accounts) through strict identity & access management enforced by authentication and proper authorization.

These three pillars of cybersecurity risk management need not stand alone. In fact, they all should be incorporated together in cybersecurity framework strategy to identify gaps, mitigate threats, and build resilience in the case of an inevitable cyberattack.  Of course, there are many other elements and protocols associated with utilization of these cyber risk management pillars. Combining them creates a more holistic mindset that also makes it easier to plan and adapt. With the growing sophistication of global cyber-threats and the expanding digital attack surface, a vigilant three pillar approach makes good sense.