Jan 11 2021

Agencies’ Zero-Trust Efforts Are Connected to How They Store and Secure Data

With an increased amount of remote endpoints, a number of agencies have shifted from perimeter security measures to a continuous monitoring and authentication mindset.

To quickly enable employees to work from home earlier this year when the coronavirus pandemic hit, federal agencies had to address new device and connectivity needs.

Some scaled up their VPN capabilities and purchased additional laptops — Dell is a frequent choice in the sector, according to Steve Thamasett, a CDW•G senior field solution architect. Without in-person access to a secure facility, numerous agencies also had to determine how to protect assets that were now being used remotely.

“When people were going to the office, whether you’d need to badge in or sign in, there was some process that happened before you even got to a computer,” Thamasett says. “There’s a lot of infrastructure between you and the internet. If you remove that asset and put it on a home network, for those agencies that are still just using a username and password to access assets, that’s going to lead to an uptick” in security risks, he says.

Those include an attacker comprising a user’s credentials to access an agency’s network, as well as traditional malware-based attacks.

In response, some have adopted a zero-trust approach to security — putting strict controls, frequent authentication checkpoints and monitoring in place to repeatedly verify users and devices before granting access to a network or asset.

“Pre-COVID, a lot of agencies had maybe 10 to 20 percent remote workers,” Thamasett says. “We saw a lot of activity back in March to assist agencies with helping to ramp up and secure their remote access strategies. They’re embracing zero trust; it has caused people to really take another view into their infrastructure and put gates in places they maybe wouldn’t have before.”

DISCOVER: Explore how technology can meet your agency’s unique data storage and security needs.

Agencies Have Incorporated Intricate Verification Methods

Agencies’ transition to zero trust has involved some education about what the concept involves — including that it’s more of a concept than a specific set of technologies, according to Matt Richbourg, a technology solutions adviser at CDW•G.

It is easy to get the impression that zero trust is a feature, but it’s better to think of it as a framework, Richbourg says. “You can’t just buy one item and another of these, and now you’re ready for zero trust,” he says. “Because it’s become a buzzword, it’s easy to get the wrong impression that if you just check a box, you’re good. It’s more of a long-term journey.”

Zero-trust architectures can, in fact, involve a variety of technological solutions and data storage techniques. Acting together, they can help thoroughly identify and assess users before access is granted. The tools can range from database management tools to algorithms that help determine a user’s risk score or track the movement of certain data elements to other parts of the network to secure them behind a firewall.

“One of our recommendations whenever anybody called about setting up an agency’s remote workforce was, at a minimum, to get some type of multifactor authentication,” Thamasett says. “It’s too easy to divert credentials these days, partially because of the way people will use the same credentials on a variety of different sources. As far as bad actors getting access to their network, servers and data, agencies would be able to achieve a much higher degree of confidence with that single step.”

One agency, for example, that already had a Cisco firewall in place and was using an RSA infrastructure for a small remote access group decided to add Cisco’s two-factor authentication access security platform Duo as a second network remote access checkpoint. Duo offers authentication methods such as generating a code when you enter a username or password.

Employees who try to access specific items meant for a limited audience would receive another prompt and need to use their RSA key fob to obtain a one-time password.

“They were able to parse out things by group to restrict access to various assets within the network and parse out people based on their roles within the agency,” Thamasett says. “They had the proper gates where they needed to be to do these identity checks and were able to log what was going on so they could then show their inspector general and security office they were still adhering to policy.”

EXPLORE: Find out how zero trust is gaining ground in the military.

Data Practices are the Key to Zero-Trust Realization

To achieve a positive zero-trust outcome, agencies need to have accurate employee data, along with tools that can successfully recognize users — and that will also be compatible with any servers, networks or other technology the organization is using.

Identity, credential and access management solutions, which allow organizations to manage, monitor and secure access to resources, are a cornerstone of the zero-trust model, according to Thamasett.

“Having a strong identity infrastructure is step one,” Thamasett says. “There have been some agencies that have replaced older technology with newer technology where they can basically query their identity infrastructure as a check. Before they get to an asset, if they VPN into a corporate network, they’re not allowed back out or are not allowed to take a particular route unless they’re authorized again or have a token or certificate.”

The pandemic — and the resulting need to safeguard against the security risks a sizable external workforce can present — may have served as a catalyst for agencies to begin using this type of zero-trust practice. Richbourg, however, doesn’t expect they’ll all return to relying on a physical checkpoint-based line of defense once employees are back in the office full time.

“Traditionally, the philosophy has always been that you build a perimeter around your environment, and once somebody gets inside the perimeter, they’re safe,” he says. “Zero trust is the idea that we should check everybody pretty regularly. There will always be people who’ll think, ‘This is what we do for remote access,’ but my hope is all these customers who have been doing a more zero-trust approach because of the pandemic will have seen the benefit and it will already be the routine.”

Brought to you by:

DKosig/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT