Sep 02 2020

Modernize Security with Zero Trust and Controlled Access Anywhere

A zero-trust security architecture makes increasing sense in a world of remote work.

Amid cloud migration and modernization efforts, the remote workforce surge and a continued uptick in sophisticated cyberattacks, federal agencies must keep their data and missions secure.

In the old way of doing business, IT teams focused on securing the network perimeter. There was a widespread belief that if the network could be secured, so could users’ access to the applications.

As we know, the world has changed dramatically. Users are more mobile and using both government-furnished equipment and personal devices. Applications are moving from our private data centers to the cloud.

The old model simply doesn’t work. Both defense and civilian agencies need a zero-trust architecture to deploy and scale cloud services in the telework age while maintaining the highest levels of security.

Risk Factors in a Remote Access Era

Nearly half of federal employees now work remotely, according to a July survey from Eagle Hill Consulting. and many anticipate some degree of telework in the future. This requires access to applications outside the traditional perimeter, often from personal devices.

While security is top priority for all of us, we are never done. Adversaries continue to improve their strategies, and legacy security architectures are falling behind.

For example, adversaries use malware only 49 percent of the time., according to a 2019 report from CrowdStrike. This means that even with strong compliance and the best anti-malware products, organizations may stop only 49 percent of cyberattacks.

However, 51 percent of the time, adversaries use malware-free attacks through phishing or stolen credentials. Once attackers get in and start making lateral movement, they can take action on objectives within minutes or hours.

Agencies need the visibility to prevent and detect a threat in just one minute, investigate within 10 minutes and respond within 60 minutes — a standard made possible only by digital transformation.

MORE FROM FEDTECH: What is an intrusion detection and prevention system?

Zero-Trust Architecture for Network Access Anywhere

Agencies need secure, scalable, cloud-based solutions that can accommodate the expanding mobile workforce.

In a zero-trust architecture, agencies can provide precise access to these cloud-based applications. Zero trust means an organization does not inherently trust any user. Trust must be continually assessed and granted in a granular fashion. This allows agencies to create policies that provide secure access for users on any device, in any location.

This is not a new idea for either civilian agencies or Defense Department organizations. Zero-trust momentum has been building.

The Jericho Project, for example, was an early model for zero trust. It proposed moving the security perimeter and developing a standard space approach to data access, and then controlling access to the data itself (not the underlying infrastructure).

In 2009, the Pentagon was looking at a model that provided encryption and application traffic segmentation, rather than traditional network segmentation. Segmentation has been a best practice for years, but zero-trust solutions give a deeper level of control.

Cloud and Endpoint Security for Protection, Detection and Remediation

Zero-trust architectures are based on three key components that every agency can integrate into their security environments.

First, agencies should have continuous real-time security posture attributes and response, which translates into some form of responsibility on the endpoint to assess its security posture. This provides agencies with real-time situational awareness, threat detection and response at scale across all enterprise and remote assets/users. Solutions can operate for extended periods, simplifying operations without the typical overhead of legacy solutions, such as VPNs. And those with application programming interface integration accelerate remediation as well.

The next component needed for a zero-trust architecture is strong identity and access management. Zero trust facilitates a dark network, or “inside-out” connectivity. This means that applications are invisible to unauthorized users.

For example, a user who is connecting from a government-furnished laptop, running a strong endpoint detection and response solution and authentication technology, can access a sensitive application. But an agency can restrict access for the same user if he is connecting from a personal device.

Finally, agencies must have secure network access and control. Again, the cyber philosophy is crucial: Don’t implicitly trust the network, don’t trust the device and don’t trust the users.

Given the remote environment, secure access to assets via the internet is vital. Legacy VPNs lead to increased latency and risk. Within a zero-trust architecture, users are never placed on the network but instead have direct-to-internet connections. This improves the user experience and reduces the attack surface.

Adaptive policy based on this trifecta enables intelligent decisions. Agencies can choose who, where, when and how a person can access any resource.

READ MORE: Learn how file integrity monitoring can help feds improve cybersecurity.

Looking Ahead: A No-Implicit-Trust Network

Federal civilian agencies and the DOD should prioritize a zero-trust environment for digital transformation. Employees need a secure connection to any application, regardless of where that application lives, from any device, from any location.

Continuous, real-time security posture and response, identity and access management, and network security and access control are prerequisites to creating a safe environment where sensitive government data is protected.

Zero trust is not a solution you purchase — buyer beware; rather, it is a cybersecurity philosophy you apply to every aspect of your environment.

DISCOVER: Find out how agencies can shift away from perimeter-based defenses.

gorodenkoff/Getty Images