As a result of a recent decision by the US Supreme Court, agencies should consider themselves warned that the time has come to implement a Zero Trust Model to protect sensitive information from unauthorized access. The ruling was made earlier this summer, in the Van Buren v. United States case.
The case was initiated based on the actions of a former Georgia police sergeant who received money in exchange for providing the information he retrieved about a license plate number while using his patrol car computer. The Supreme Court ruled Van Buren’s access fell within the definition of authorized use as set forth in the Computer Fraud and Abuse Act of 1986 (CFAA).
The Case Syllabus for Van Buren v. United States summarizes as follows: “In sum, an individual exceeds authorized access when he accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders or databases – that are off limits to him.” As such, all parties agree that Van Buren was acting with authorization. In dispute was whether retrieving license plate information was within the scope of that authorization. It was determined he could; therefore, Van Buren did not exceed authorized access as defined in the CFAA, even though obtaining that information was most certainly for an improper purpose.
Steps to Implementing a Zero Trust Model
This ruling should put organizations on notice to reevaluate employee access to sensitive data. A “never trust, always verify” approach is critical. Here are five steps to establishing a Zero Trust protocol.
Understand Your Inventory
In order to protect your sensitive data, you must first conduct a thorough assessment of your cyberinfrastructure, creating an accurate inventory while gaining a good understanding of its reach. A Zero Trust architecture cannot be implemented without this critical first step.
For a Sustainable Approach, Make Incremental Changes
Unless you are building a computing environment from scratch, this Zero Trust architecture cannot be implemented in a single effort. You will likely need to merge your Zero Trust efforts with legacy ones. To make this transition easier, look for ways the Zero Trust tools can work within your existing environment. Establish changes that can be made in increments that are easy to manage. Include testing of what works for you and your organization, and then scale up.
Remember Zero Trust is not a One-size-fits-all Framework
Others have successfully navigated this change. Seek out their advice and recommendations. We at Acronis SCS are willing to share our experience with you. We can be a valuable resource in your efforts to establish your Zero Trust architecture.
Turn Tactics into Strategy
You may need to obtain high-level buy-in as you develop and rewrite IT policies to reach and maintain your Zero Trust goals. In today’s cybersecurity environment, with public awareness growing, this should not be a difficult task with your leadership, which should be aware of the need to adopt a Zero Trust model.
Empower your ‘Human Firewalls’
At its roots, a Zero Trust approach reflects two key principles.
- Trust no one.
- Verify everything.
In considering these principles, it is significant to note one study found around one-third of data breaches stemmed from spear-phishing, and errors attributed to human mistakes have a causal role in over one-fifth of breaches.
As such, a Zero Trust implementation should minimize the impact any human-caused breach would have. At the same time, you should not write off the critical role humans play in protecting your systems and information from any form of compromise, such as data loss and cyberattacks.
As you put your Zero Trust architecture in place, it is critical you ensure every employee is an active participant by empowering them to do so. Training and information sessions should be designed to instill a culture of security across the workforce. Be sure every employee has the power to be a human firewall — #Cyberfit, constantly vigilant, and resilient. As with most changes of this nature, implementing a Zero Trust Architecture must be a team effort to succeed.
Working with Acronis SCS on Your Zero Trust Journey
At Acronis SCS, we’ve been down this path before. We’ve implemented Zero Trust architecture within our own organization and have a wealth of experience and knowledge to share with our partners. We encourage organizations ready to get started to contact us as soon as possible.
Your specific needs will likely be different than our own or those of other organizations. Still, our experience both with our own implementation process and considering our position as a leading provider of US public sector cybersecurity solutions can help guide the way.
Active anti-ransomware protection, such as Acronis SCS Cyber Backup 12.5 Hardened Edition, can protect your company from unnecessary and costly data breaches, while a simple notarization and digital authentication solution can prevent malevolent actors from altering your data.
The results of Van Buren v. United States have indeed put the public sector on notice. As a result, it’s clear that action must be taken swiftly to secure our nation’s most sensitive data. That action begins with implementing a Zero Trust Architecture.