U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)
Keynote

When Perimeter Defenses Are Not Enough: How Multidimensional Protection Strategies Can Provide True Cyber Defense-in-Depth

April 21, 2020

Presenters

Ron Ross
ron.ross@nist.gov

Description

Virtual Keynote for ISMG Virtual Cybersecurity Summit: Zero Trust, April 21, 2020

When Perimeter Defenses Are Not Enough: How Multidimensional Protection Strategies Can Provide True Cyber Defense-in-Depth
 
The Advanced Persistent Threat (APT) is extremely dangerous to the national and economic security interests of the United States. We are totally dependent on computing systems of all types—including traditional Information Technology systems, Operational Technology systems, Internet of Things (IoT) systems, and Industrial IoT systems—to accomplish critical missions and business functions. The recent and rapid convergence of these types of systems has brought forth a new class of systems known as cyber-physical systems, many of which are in the critical infrastructure sectors including energy, transportation, defense, manufacturing, and information and communications.

To address this reality in the 21st century, the one-dimensional protection strategy focused solely on perimeter-based defenses must be transitioned to a new multidimensional, defense-in-depth protection strategy that includes three, mutually supportive and reinforcing concepts: (1) penetration resistant architectures; (2) damage limiting operations; and (3) system designs that support cyber resiliency and survivability. This strategy, as described in the NIST SP 800-160 systems security engineering series, recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within organizational systems. When this situation occurs, organizations must have access to additional safeguards and countermeasures to confuse, deceive, mislead, and impede the adversary—that is, taking away the adversary’s tactical advantage and protecting and preserving the organization’s critical programs and high value assets.

A promising concept that can support a multidimensional protection strategy is Zero Trust Architectures. In accordance with NIST SP 800-207, zero trust is the term for an evolving set of cybersecurity paradigms that change the focus on cyber defenses from static, network-based perimeters to establishing trust among users, assets, and resources. A zero trust architecture uses zero trust principles to plan enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location. Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary. This shifts the focus to protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
 

Related Topics

Security and Privacy: risk management, systems security engineering, zero trust

Created April 21, 2020, Updated June 22, 2020