Nov 12 2020

What Does It Mean to Start Deploying Zero Trust?

The move to a zero-trust architecture is as much a philosophical shift as a technology deployment.

In the world of federal cybersecurity, the idea of a zero-trust architecture for security is among the hottest topics of conversation.

As a recent roundtable discussion with federal IT officials and analysts in FedTech made clear, there are a lot of opinions about zero trust. However, on the civilian side of government, there is more aspiration than deployment of a zero-trust architecture.

But it raises the question, what is zero trust? And once your agency has decided it wants to go down the road to a zero-trust security model, how do you practically go about doing so?

Zero trust is more of a mindset than a set of technologies, though there are obviously technological elements that need to be in place. IT leaders should not think of zero trust as a checklist of security technologies they need to purchase and implement. That is especially true given that no agency has unlimited financial and personnel resources.

Rather, zero trust requires agencies to think about security in a new way — to continuously verify every user and every device before granting access to a network or an asset. IT leaders seriously think through where they put up gates for users to go through and how often they challenge users to verify themselves. All of the choices about which technologies to deploy and where will vary agency by agency. That’s why it’s important to understand the basic building blocks of zero trust.

The Fundamental Elements of Zero Trust

The first step for IT security leaders who want to adopt a zero-trust architecture is to conduct an assessment of their security environment. They need to determine where there may be gaps and how they want to evolve their security approach. They also should consider which solutions will give them the most bang for their buck.

A solid place to start with zero trust is identity, credential and access management solutions. Since zero trust revolves around identifying who users are and assessing the riskiness in giving them access, ICAM is foundational. Without a robust mechanism to adjudicate someone’s identity, there is no point in challenging them when they request access.

From there, a key step is not technology-related, but policy-focused. Agencies need to use the principle of least-privilege access to give users access to only what they need to do their jobs. However, IT leaders need to define through policy which users get access to specific networks and resources.

There are a multitude of different technologies that can be called zero-trust products, and security vendors are busy promoting them as such. They range from network access control solutions to database management and protection tools, software-defined networking and microsegmentation solutions, trust algorithms to determine a user’s risk score and more.

The challenge is then to start stitching these solutions together. Most solutions that serve as identity stores for agencies — whether Active Directory from Microsoft or a solution from Centrify or another vendor — are compatible with these solutions. Essentially, something like an SDN solution can interface with an identity solution in a standard way to verify a user’s identity. The solutions such as network access control are the gates, and the identity store is what holds all of the keys.

Agencies also need to put in place behavioral monitoring tools to help verify a user’s identity. Those include looking at where a user is logging in from, the time of day, whether they are logging in from multiple locations, and more. And, multifactor authentication is a must in a zero-trust environment.

LEARN MORE: Explore which zero-trust solutions are right for your agency.

The Challenges in Deploying Zero Trust

Multiple security vendors can claim that their solutions are elements of a zero-trust architecture. The key challenge for IT security leaders in government is to not approach a shift to zero trust as a checklist, in which every solution presented to them needs to be a part of their environment.

It all depends on what the agency is doing and how it wants to approach security. Fundamentally, zero trust requires agencies to verify every user and make sure the right users are accessing what they are supposed to. How that is achieved is up to the IT decision-makers.

Of course, there are technical challenges in knitting together ICAM tools with network defense solutions. Those can be dealt with internally or with trusted partners. The key is to remember that zero trust is a mindset shift. So, don’t get too myopic on the technology.

Another key challenge is the end-user experience. More gates mean more time needed for users to go through them. No one likes keying in one-time passwords all the time.

However, IT leaders need to have a deep understanding of their agency’s users. Can they demand that users put in place a new tokenized password every time they want to access a certain network or database? Or can they afford to be more lenient? If users access a resource twice within 10 minutes, will they be prompted to authenticate themselves? These are the kinds of questions that need to be dealt with as much as any technology deployment.

The move to zero trust is a journey, not a destination. The landscape is evolving, but it is possible to get started on the path to a more secure IT environment.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

gorodenkoff/Getty Images