Agencies Have Incorporated Intricate Verification Methods
Agencies’ transition to zero trust has involved some education about what the concept involves — including that it’s more of a concept than a specific set of technologies, according to Matt Richbourg, a technology solutions adviser at CDW•G.
It is easy to get the impression that zero trust is a feature, but it’s better to think of it as a framework, Richbourg says. “You can’t just buy one item and another of these, and now you’re ready for zero trust,” he says. “Because it’s become a buzzword, it’s easy to get the wrong impression that if you just check a box, you’re good. It’s more of a long-term journey.”
Zero-trust architectures can, in fact, involve a variety of technological solutions and data storage techniques. Acting together, they can help thoroughly identify and assess users before access is granted. The tools can range from database management tools to algorithms that help determine a user’s risk score or track the movement of certain data elements to other parts of the network to secure them behind a firewall.
“One of our recommendations whenever anybody called about setting up an agency’s remote workforce was, at a minimum, to get some type of multifactor authentication,” Thamasett says. “It’s too easy to divert credentials these days, partially because of the way people will use the same credentials on a variety of different sources. As far as bad actors getting access to their network, servers and data, agencies would be able to achieve a much higher degree of confidence with that single step.”
One agency, for example, that already had a Cisco firewall in place and was using an RSA infrastructure for a small remote access group decided to add Cisco’s two-factor authentication access security platform Duo as a second network remote access checkpoint. Duo offers authentication methods such as generating a code when you enter a username or password.
Employees who try to access specific items meant for a limited audience would receive another prompt and need to use their RSA key fob to obtain a one-time password.
“They were able to parse out things by group to restrict access to various assets within the network and parse out people based on their roles within the agency,” Thamasett says. “They had the proper gates where they needed to be to do these identity checks and were able to log what was going on so they could then show their inspector general and security office they were still adhering to policy.”
EXPLORE: Find out how zero trust is gaining ground in the military.
Data Practices are the Key to Zero-Trust Realization
To achieve a positive zero-trust outcome, agencies need to have accurate employee data, along with tools that can successfully recognize users — and that will also be compatible with any servers, networks or other technology the organization is using.
Identity, credential and access management solutions, which allow organizations to manage, monitor and secure access to resources, are a cornerstone of the zero-trust model, according to Thamasett.
“Having a strong identity infrastructure is step one,” Thamasett says. “There have been some agencies that have replaced older technology with newer technology where they can basically query their identity infrastructure as a check. Before they get to an asset, if they VPN into a corporate network, they’re not allowed back out or are not allowed to take a particular route unless they’re authorized again or have a token or certificate.”
The pandemic — and the resulting need to safeguard against the security risks a sizable external workforce can present — may have served as a catalyst for agencies to begin using this type of zero-trust practice. Richbourg, however, doesn’t expect they’ll all return to relying on a physical checkpoint-based line of defense once employees are back in the office full time.
“Traditionally, the philosophy has always been that you build a perimeter around your environment, and once somebody gets inside the perimeter, they’re safe,” he says. “Zero trust is the idea that we should check everybody pretty regularly. There will always be people who’ll think, ‘This is what we do for remote access,’ but my hope is all these customers who have been doing a more zero-trust approach because of the pandemic will have seen the benefit and it will already be the routine.”
Brought to you by: