Nov 04 2021

Create a Zero-Trust Environment Among Users as Well as on Your Network

Cybersecurity is as much a state of mind as it is technological protection.

Zero-trust environments, and guidance on how to create them, are becoming more common in the federal space as cyberattacks increase. 

In addition to a major publication on zero-trust architecture released by the National Institute of Standards and Technology in August 2020 explaining the components of zero trust, the National Security Agency issued information earlier this year that laid more groundwork for zero-trust implementation. 

Although the sheer amount of advice being offered may become overwhelming, zero trust is a relatively simple concept: Don’t trust anything coming into your network; verify everything before you admit it. 

Complicating matters is the ever-evolving cybersecurity environment. Hackers and other malicious actors want into your network, and they will find any way possible to breach security. Today’s firewall may not hold back tomorrow’s Fancy Bears. 

Click the banner below to get access to a customized content experience and exclusive articles.

Zero Trust Is About More Than New Technology 

The path to containing hackers differs from agency to agency, depending on the existing infrastructure. Achieving that goal, and staying up to date once it’s reached, takes some work.

President Joe Biden’s executive order on cybersecurity, issued in May, includes zero trust as one of the four pillars agencies must use to build a solid security foundation. The others are multifactor authentication; identity and access management; and supply chain and Internet of Things security.

While the EO targets federal ­agencies, third-party vendors must also learn more about cybersecurity, given that their products can be unwitting vectors for malware. More important, sellers will have to learn to make the concept of zero trust simpler for buyers. 

Many agencies still view zero trust as a new infrastructure built with a host of new technologies that they’ll have to buy. While new purchases may be necessary, the idea remains the same: Do I know that the email you sent me really is from you?

RELATED: What comes next for the federal government on the journey to zero trust? 

To build an environment in which the answer to that question is always yes, an agency must ask other questions. For example: Are we relying on a cloud environment? If so, is it hybrid or multicloud? Is it on-premises or off? Depending on the answers, an agency may be able to reach zero trust on its own.

If the environment is a complex or aging one, the agency may need external architects and engineers to help develop zero trust

An outside set of eyes can help an agency see vulnerable spots it might have missed, places where a malicious actor could breach a system or upload a little ransomware. 

Cybersecurity User Training Is Key to Zero Trust Success 

Then comes the next important ­question: Are network users educated? Do they know what a fake email looks like? Do they know not to open unusual attachments? An agency can control all the technological measures it wants, and then a threat comes in attached to an email that a worker opens without thinking ­— and the attack has begun.

Most major breaches in 2021 were ransomware attacks launched through phishing, which agencies can avoid with education. Sometimes, the only clue an email is not legitimate is a sole incorrect letter in the email address or one misspelling in the body.

Zero trust, you see, is more than just adding technology — it’s education for the human elements of the network. The federal government seems to be a less popular ransomware target, possibly because of policies and procedures that protect classified information. Individual users are still the weak link, however. Today, federal employees have to examine every piece of email with suspicion and consider everyone a threat, and that’s a thought that they wouldn’t have had a few years ago.

Agencies rely on CTOs and CISOs to have the right appliances and software to protect the network, and to vet all the traffic coming in and out. But to be truly effective, the zero-trust environment must also exist in users’ minds.

EXPLORE: How do granular identity and access management controls enable zero trust?

gorodenkoff/Getty Images