Michael FriedrichJanuary 27, 2022
C2C and Zero Trust Security: The Ghosts Are Here and Zero Trust Is the Ghostbuster
Within federal government cybersecurity initiatives, Comply-to-Connect (C2C) has been a Department of Defense (DoD) directive for several years. But is C2C really a dynamic Zero Trust security principle … or just a component thereof?
2021 is going to be a year to remember with breaches, malware infections and outright cyber piracy of ransomware attacks reaching epic levels. You could almost close your eyes and see ghosts terrorizing the citizens of NYC like it was 1984 all over again. While this isn’t the movies and fictional ghostbusters aren’t on hand to save us, today’s cyberthreats are like the Stay Puft Marshmallow Man and Gozar the Gozarian bent on destroying everything in their path. And one could argue that Zero Trust security principles are the proton packs and ghost traps of the modern cybersecurity era.
In all seriousness, Zero Trust security is an evolution of legacy technologies and processes including now-obsolete VPNs (that we’ve repeatedly called for the death of), service-oriented architecture (SOA) and Identity, Credential and Access Management (ICAM) that in government circles, we add an F for Federal to make it FICAM. And then there's the DoD's C2C initiative, which we're focusing on for this discussion.
Is C2C really dynamic Zero Trust security?
Comply-to-Connect (C2C) has been a Department of Defense (DoD) directive for several years now. It was introduced to restrict unauthorized device access and verify and enforce that patches and hardened configuration are applied and updated continually before devices connect. But is that REALLY dynamic Zero Trust security? Or just a component thereof?
Frankly, devices are just one part of the larger equation. In a true Zero Trust architecture, the C2C could or would be leveraged in the initial access connection request (I.e., validation of a properly updated device) or as ongoing entitlement request to ensure access is still proper.
While C2C is part of Zero Trust architecture, Zero Trust security is made up of many technologies and processes. It’s not something you can buy and no single cybersecurity vendor in the federal or enterprise space can truthfully claim they have the ultimate solution. As I said in a Zero Trust Thirty podcast episode, Zero Trust starts with identity management. Without it, nothing else will happen, including C2C. If you don’t know where the users are, what devices they are using, their current state, etc., then how do you assign the proper level of trust?
Dynamic Zero Trust access is the goal and we need to keep this focus even as many new ways/use cases to leverage Zero Trust security emerge. To my federal agency colleagues, as you follow Zero Trust Executive Order and CISA mandates, I encourage you to ask hard questions of your vendors, test assumptions and make sure your use cases and technology choices can be integrated to make Zero Trust security the “threat buster” of today and tomorrow.
For more on how our Appgate Federal Division is leading the way, please visit www.appgate.com/federal-division.
Additional resources:
Blog: Appgate and Rackspace Government Cloud Deliver FedRAMP-Approved Solution
Blog: Federal agencies: make a secure and scalable move to cloud with Zero Trust
Blog: Federal March To Zero Trust Security: CISA'S Guidance Focuses on Four Pillars
Infographic: 2021 Zero Trust Market Dynamics study
Webinar: Zero Trust for Critical Infrastructure
Share