Maryland unveils statewide zero-trust cybersecurity policy
Maryland’s technology department on Tuesday unveiled new statewide cybersecurity and privacy policies that shift the state away from its “trust but verify” model, in favor of a zero-trust framework.
According to a press release from the Maryland Department of Information Technology, state agencies will be required to adopt the new policies and zero-trust framework within the next 18 months, a change that will make it “exponentially harder for bad actors to move from one IT system to another, which will ensure the state is less vulnerable to cybersecurity incidents.”
A shift to zero-trust rides industry currents in the private and public sectors, each of which have increasingly adopted zero-trust models in their organizations. The cybersecurity firm Zscaler last year published a survey of 600 information technology professionals showing that 81% were planning to implement zero-trust models within the next 12 months. VPNs, the survey showed, were not believed to be a sufficient security measure, because they can allow attackers to move laterally within networks after gaining entry.
The new policies note that the “trust but verify” paradigm was particularly fraught in relation to “high value state systems,” which will now require continuous identity validation for users to access: “[Zero-trust access] is based on the principle that no device, user, or asset should be trusted solely based on its location within a network. The framework requires all users, whether inside or outside the organization’s network, to be continuously authenticated, authorized, and validated before being granted access to applications and data.”
Maryland Chief Information Officer Katie Savage said in the release that the new policies were created in response to cybersecurity threats that are “only getting more and more advanced. Our State needed a simple, unified approach to ensure our systems, services, and data are fully protected in this modern environment.”
Beyond enforcing uniform adoption of zero-trust, the new policies are also designed to provide “clearer, more consistent guidance” across the state’s executive branch, according to the state’s website. Reinforcing the need for uniform adoption, James Saunders, Maryland’s chief information security officer, dusts off an old chestnut in the press release, noting that “cybersecurity is a team sport,” requiring the participation of all state employees who’ll soon be held to the new policies.
