Security

Zero Trust Is No Longer Optional for Agencies. Now What?

IT leaders are now mandated to adopt zero-trust architectures. Here are a few factors to consider on the road to making that a practical reality.

Jim Richberg

Jim Richberg is public sector field CISO at Fortinet. He formerly served as the National Intelligence Manager for Cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities.

President Joe Biden’s May 12 executive order on cybersecurity put federal networks squarely at the center of efforts to bolster U.S. IT security defenses. For agencies in which IT decision-makers viewed security initiatives such as zero trust as something to tackle later, things got real.

Of course, that reality only continues to crystalize amid the ongoing, high-profile cyberattacks on crucial U.S. interests — the impetus for the order’s release. These attacks could serve as a harbinger of what’s to come, and federal agencies must prepare accordingly.

Zero-trust architectures are not new, but the model has gained momentum as traditional network perimeters have disappeared into the infrastructure and users have dispersed. As a result of the coronavirus pandemic, last year the number of users with unprotected devices running on inadequately secured home networks — and with largely unfettered access to agency networks — escalated dramatically and virtually overnight.

Malicious actors have capitalized accordingly. The number of records exposed in public sector breaches roughly doubled last year. Ransomware rose sevenfold in the second half of 2020 after the government workforce pivoted to remote access in response to the pandemic.

While many agencies used multifactor authentication and VPN connections to validate user access and provide secure connections, the lack of capacity to examine encrypted network traffic consistently and efficiently was a challenge for agencies that heightened risk.

Zero trust changes a fundamental assumption about network access. Instead of assuming that any user or device with network access should be trusted by default, it assumes that any network, user, application or device is potentially compromised. Zero trust operates on the principle of least privilege, bestowing the lowest level of access necessary to accomplish the task at hand. For instance, if a user only needs to read data, why give privileges to write content or delete files? Even after trust is established and access is granted, that trust is provisional and should be continually re-evaluated.

To combat dynamic and continuously morphing threats, federal networks require zero-trust architectures that expand beyond the traditional parameters of cybersecurity and incorporate dynamic defenses and continuous monitoring.

“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors,” a White House fact sheet on the order states. “The federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”

We Have the Elements Needed to Undertake Zero Trust

Zero-trust access hinges on three fundamental and straightforward tenets: Verify every user, validate every device, and provide access as needed and according to credentialed requirements.

It seems simple, but it means shifting away from long-established security practices, such as perimeter defense, assumed trust inside the perimeter and static access management.

In practice, it involves a multifaceted ecosystem. The technical pieces include implementing capabilities providing visibility into network assets, microsegmentation, strong authentication and adaptive endpoint security. However, it can be more challenging to shift culture and thinking, achieve strategic buy-in from agency management and Congress, and close the workforce and skills gaps. Elements involving policy and governance, including the adoption of specific frameworks and sustained attention and adherence to evolving guidance, are key.

Whether you're an IT manager or a rank-and-file employee, you might be wondering what’s next. Here are a few key considerations as you move to the zero-trust model.

EXPLORE: How does network behavior monitoring enable zero trust?

Education: It’s critical to understand foundational definitions. The zero-trust model evaluates trust on a per-transaction basis. Trust is always subject to verification; access is only given to specific resources, and it can be revoked at any time if user behavior changes. Zero-trust access hinges on always knowing and controlling exactly what users, devices and other elements are on your network, what they’re doing, what their role is and what network access rights that role entitles them to. Zero-trust network access is a method of controlling access to specific applications, which is especially important for remote workers who must access specific applications to do their jobs.

Overall, zero trust enables users to have immediate access to the resources they need to do their jobs, while also eliminating the risks of unauthorized access. The concept doesn’t imply users are not trustworthy; instead, it recognizes that trust should be dynamic and bestowed as needed. It’s essential for IT leaders to communicate the concept and the strategy, to explain what needs to change and why, and to demonstrate how the changes will benefit the organization.

Implementation: Every agency must tailor its zero-trust strategy to its specific needs and missions. An agency with a fully remote workforce will have a different plan than one that never left the office or that is phasing back into in-person operations. Formulating your specific zero-trust plan requires sharing information to help build the context and establish the baselines of users, devices and networks. Without full participation and buy-in, implementation will be an uphill battle.

Augmentation: A number of tools can help maximize zero trust. They range from models like secure access service edge to platforms that provide granular network visibility, robotic process automation, artificial intelligence, and many ways to achieve multifactor authentication or analyze user behavior. Multiple solutions and tools have the potential to strengthen your zero-trust architecture. While having a wide range of options is good, it can also complicate the task of formulating a coherent and effective approach. To figure out what’s best for your organization, start by understanding and assessing your priorities, whether it’s the multitude of new devices to secure or the need to maximize efficiency, productivity or user experience. From there, decision-makers can prioritize evaluating, selecting and implementing the tools that maximize their IT security.

The federal government was a pioneer in zero trust, adopting some of its core precepts long before it became an operational framework. This means government leaders have both the vision and the demonstrated need to adopt zero trust — a need amplified by continued remote work as well as the development and deployment of AI, machine learning and cloud-native technologies.

The fundamentals for zero-trust access exist. The time to move forward on implementation is now.

Gorodenkoff