Earlier this month, the Air Force Chief Information Officer released a new 27-page cybersecurity strategy dubbed Zero Trust. In a broad sense, Zero Trust represents a shift from the traditional cybersecurity model of ‘castle and moat’ into a model of ‘every room is guarded.’ In the traditional model, large networks are protected via a large firewall that requires user credentials to access. This can be akin to a moat guarding a castle, where once access has been granted and an individual is allowed to walk across the moat, that individual is now free to roam the castle. In the cybersecurity model outlined in Zero Trust, every room of the castle is guarded and getting across our proverbial drawbridge only grants access to additional rooms for which you have permission to enter.
While coalescing a broader cybersecurity strategy is certainly a positive thing, the report itself outlines several serious risks that could delay or derail the proposed paradigm shift entirely. These risks include:
- Institutional resistance to the proposed cultural shift
- Insufficient tools needed for automated data tagging, labeling and management
- Nascent state of endpoint cybersecurity for non-IT equipment
- A lack of industry standards leading to proliferation of proprietary solutions and danger to vendor lock-in
- The need for a complete overhaul of all Air Force data centers
I have written in the past about private companies being reluctant to share technical data regarding cybersecurity capabilities to competitors in the name of the greater good. Another interesting element that I had not considered but was highlighted in the report are the dangers of vendor-lock. While companies like to advertise their systems as “plug and play,” those environments rarely exist and are even more rare in technical realms such as IT. The result is that Government enterprises design their system network around highly customized products. Introducing additional products from different vendors worsens the problem, as every new product requires custom integration which represents sunk cost. At the end of the day, serious cybersecurity risks will remain until a standardized API for the federal government is released and enforced. There is simply too much capitalistic pressure on companies to continue as is.
Source: The Air Force’s Zero Trust Strategy Is Out—and Acknowledges Big Hurdles