We Have the Elements Needed to Undertake Zero Trust
Zero-trust access hinges on three fundamental and straightforward tenets: Verify every user, validate every device, and provide access as needed and according to credentialed requirements.
It seems simple, but it means shifting away from long-established security practices, such as perimeter defense, assumed trust inside the perimeter and static access management.
In practice, it involves a multifaceted ecosystem. The technical pieces include implementing capabilities providing visibility into network assets, microsegmentation, strong authentication and adaptive endpoint security. However, it can be more challenging to shift culture and thinking, achieve strategic buy-in from agency management and Congress, and close the workforce and skills gaps. Elements involving policy and governance, including the adoption of specific frameworks and sustained attention and adherence to evolving guidance, are key.
Whether you're an IT manager or a rank-and-file employee, you might be wondering what’s next. Here are a few key considerations as you move to the zero-trust model.
Education: It’s critical to understand foundational definitions. The zero-trust model evaluates trust on a per-transaction basis. Trust is always subject to verification; access is only given to specific resources, and it can be revoked at any time if user behavior changes. Zero-trust access hinges on always knowing and controlling exactly what users, devices and other elements are on your network, what they’re doing, what their role is and what network access rights that role entitles them to. Zero-trust network access is a method of controlling access to specific applications, which is especially important for remote workers who must access specific applications to do their jobs.
Overall, zero trust enables users to have immediate access to the resources they need to do their jobs, while also eliminating the risks of unauthorized access. The concept doesn’t imply users are not trustworthy; instead, it recognizes that trust should be dynamic and bestowed as needed. It’s essential for IT leaders to communicate the concept and the strategy, to explain what needs to change and why, and to demonstrate how the changes will benefit the organization.
Implementation: Every agency must tailor its zero-trust strategy to its specific needs and missions. An agency with a fully remote workforce will have a different plan than one that never left the office or that is phasing back into in-person operations. Formulating your specific zero-trust plan requires sharing information to help build the context and establish the baselines of users, devices and networks. Without full participation and buy-in, implementation will be an uphill battle.
Augmentation: A number of tools can help maximize zero trust. They range from models like secure access service edge to platforms that provide granular network visibility, robotic process automation, artificial intelligence, and many ways to achieve multifactor authentication or analyze user behavior. Multiple solutions and tools have the potential to strengthen your zero-trust architecture. While having a wide range of options is good, it can also complicate the task of formulating a coherent and effective approach. To figure out what’s best for your organization, start by understanding and assessing your priorities, whether it’s the multitude of new devices to secure or the need to maximize efficiency, productivity or user experience. From there, decision-makers can prioritize evaluating, selecting and implementing the tools that maximize their IT security.
The federal government was a pioneer in zero trust, adopting some of its core precepts long before it became an operational framework. This means government leaders have both the vision and the demonstrated need to adopt zero trust — a need amplified by continued remote work as well as the development and deployment of AI, machine learning and cloud-native technologies.
The fundamentals for zero-trust access exist. The time to move forward on implementation is now.