President’s Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity mandates rapid development of plans by every federal agency for modernizing their approach to cybersecurity. One of the most crucial improvements called for is the implementation of Zero Trust Architecture.
The Executive Order (EO) makes clear that Zero Trust tenets will need to be built into any software the federal government acquires or that its contractors use. The EO mandates amendments to the Federal Acquisition Regulation (FAR) to get that done. The aim is to improve not just federal cybersecurity but also that of the private sector that we’re all so dependent on—as vividly revealed by the Colonial Pipeline incident.
Changes to FAR and likewise, DFARS, mean that to continue to do business with the DoD, defense contractors will need to incorporate Zero Trust Architecture into their communication and collaboration platforms.
What is Zero Trust?
The National Security Agency’s (NSA’s) February 2021 memorandum, Embracing a Zero Trust Security Model, describes a Zero Trust security model as one that “eliminates trust in any one element, node, or service” and “assumes that a breach is inevitable or likely has already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
Modern Zero Trust security differ fundamentally from legacy systems that focus on hardening the perimeter by creating the equivalent of bigger and bigger barriers around sensitive data and network boundaries. Instead, a Zero Trust mindset eliminates any vestiges of trust when it comes to protecting networks and core data by constantly verifying every user, device, application, and data flow.
Zero Trust for Securing Communications and Collaboration
Zero Trust Architecture is designed to secure the entire breadth of computing services, data resources, and network locations across enterprises. One of the most critical components of that landscape is communication and collaboration systems. These systems—particularly emails and sensitive documents—are by far the most targeted and vulnerable points of attack. As such, communication and collaboration systems are the logical first place to apply Zero Trust principles to improve cybersecurity.
Simply put, communication and collaboration systems have three key components, each of which presents security challenges:
- Servers, through which all emails and data pass. Legacy systems that focus on securing the perimeter leave servers and their assets vulnerable when inevitable breaches occur. Even legacy systems that use encryption in transit and at rest—as called for in President Biden’s Executive Order—don’t go far enough. They’re vulnerable to hackers because data is decrypted on the server when it’s in use. If a server can see the data stored on it, hackers can too.
- Users, up and down supply chains. Users present a range of security threats flowing from their many devices and accounts. Most systems require users to create passwords to authenticate their identity, despite the fact that they are often weak and so are routinely guessed or stolen. And users are also constantly targeted via phishing and spoofing.
- Administrators, whose data access makes them a central point of attack. Given administrators broad privileges and access to organizations’ data resources, the most serious data breaches occur when admins are compromised or go rogue. It is not uncommon for hackers to compromise a single administrator and gain access to all of an organization’s emails, files, and other data assets.
- Employs state-of-the-art end-to-end encryption that secures data resources at every point in the communications and collaboration cycle
- Eliminates passwords and uses automatically-generated cryptographic keys instead
- Dramatically reduces phishing and spoofing attacks via Trusted Communities that limit communication to pre-approved and authenticated partners
- Protects admins against attacks via Approval Groups that eliminate trust in any single person, and instead rely on authorization for privileged actions from a per-determined set of approvers
- Automatically tracks all actions in tamper-proof logs and raises alerts in live time in critical situations
PreVeil implements Zero Trust principles
Zero Trust principles are not just a theoretical construct. PreVeil was built from the ground up to implement Zero Trust principles. Its email and filing sharing platform:
PreVeil knows, though, that better security isn’t enough: if security is difficult to use, it won’t be used. PreVeil is designed to deploy easily as an overlay system, with no impact on existing file and email servers. And it’s easy for users to adopt because it works the tools they already use, including their regular email address.
PreVeil is affordable too—a key factor for small- to medium-size defense contractors who often don’t have the resources and skills to build the secure systems they need. Hackers know this and frequently target such companies. PreVeil helps to turn the tables on that tactic by offering world class security at low costs.
Finally, because PreVeil embeds Zero Trust principles to protect CUI (Controlled Unclassified Information), it helps contractors comply with DFARS 252.204-7012, NIST 800-171, ITAR 120.54, and CMMC Level 3. PreVeil offers several resources in its library that explain how PreVeil accelerates your path to compliance.
PreVeil’s hope is that widespread adoption of a Zero Trust mindset will help take your organization’s security to a higher level, one needed to address today’s threat environment and to comply with federal mandates. To learn more, read our brief, Zero Trust: A better way to enhance cybersecurity and achieve compliance.