Blog

Zero Trust Security for CMMC Compliance

Cybervulnerabilities are present and they will only get worse before they improve.

 
That was Glenn Gerstell’s focal point in yesterday’s PreVeil webinar: Getting to Zero Trust: A New Mindset for CMMC Security moderated by PreVeil’s co-founder Sanjeev Verma. The webinar highlighted the fundamental point of Zero Trust security: eliminate trust in any one element, node or service by assuming that a breach is inevitable or has already occurred. Webinar panelists Glenn Gerstell, Lt. Gen Ed Cardon, and Raluca Ada Popa each brought their unique perspectives to this definition, ranging from academia to government and national defense.
 

What is Zero Trust?

 
A model for security that eliminates trust in any one element, node or service by assuming that a breach is inevitable or has already occurred.
 

 
Glenn Gerstell, the former General Counsel to the NSA, kicked off the conversation by highlighting the threat landscape and explaining that the old-school way of securing data is no longer sufficient. This point has been illustrated in major security breaches, including last year’s SolarWinds attack. And the Office of the Director of National Intelligence’s Global Trends Report 2040 shows continued cyber insecurity as the attack surface expands and the number of attackers grows.

 
Gerstell went on to highlight that foreign adversaries – particularly Iran, North Korea, China, and Russia – pose significant and sophisticated cybersecurity threats. Attackers from these countries will inevitably get into our systems. But by implementing Zero Trust security, we will be able to better protect ourselves. Implementing Zero Trust security systems might be an arduous task, but a necessary one.
 
Ed Cardon, former head of the U.S. Army Cyber Command echoed Gerstell’s sentiment on the inevitable hacking from adversaries. Cardon said that by using a Zero Trust model, we can gain confidence in the security of hardware and software used for CMMC. The closer an organization gets to Zero Trust security, the better it is able to protect CUI and defend the supply chain.
 

The closer an organization gets to Zero Trust security, the better it is able to protect CUI and defend the supply chain.

 
The Lieutenant General also noted that we cannot just rely on taller walls to protect our data. Our data is the prize and we have to be able to trust the data. If we assume everything can be hacked then we need to use Zero Trust models to protect our data.
 
Raluca Popa, Professor of Computer Science at UC Berkeley and one of PreVeil’s co-founders, offered insight into the technical details of Zero Trust. She also echoed that breaches are relentless. They will continue because existing mechanisms for stopping them are weak. Legacy systems try to focus on protecting the perimeter by building bigger and bigger walls around data. But these walls – or servers – are made of software and software inevitably has bugs which can be breached by attackers.
 
Zero Trust systems she notes offer a much better alternative for protecting the data because they assume hackers will get access to the data. When Zero Trust systems use end-to-end encryption, data is only decrypted on the user’s device – never on the server. Even if the attacker gets to the data on the server, all she gets is jibberish.
 

The webinar’s panelists brought color to Zero Trust technologies by noting that these systems aren’t just theoretical. WhatsApp and Signal are Zero Trust systems available for the consumer and PreVeil is available for the enterprise.
 
More generally, Gerstell noted that Zero Trust is currently being used in classified systems in the government and computer systems of large enterprises. But moving more broadly from traditional to Zero Trust will be difficult and expensive. But, says Gerstell, we should do it anyway because the alternatives are even more difficult and expensive.
 

Moving .. from traditional to Zero Trust will be difficult and expensive. But … we should do it anyway because the alternatives are even more difficult and expensive.

 
While the panelists offered a variety of experiences, their unifying message was that the best time to start securing data is right now. We can’t only start taking cybersecurity seriously when a breach occurs. This notion demonstrates the underlying sense of urgency that was present throughout the webinar. As the public better understands the scale of security breaches and why they occur, they will come to know why Zero Trust is the state-of-the-art technology to adopt.
 

Watch PreVeil’s Zero Trust webinar with Glenn Gerstell, Lt. General Ed Cardon and Raluca Popa.

Watch now