Understanding the Zero-Trust Mandate
In a nutshell, zero trust is a defense philosophy that assumes a network or system has already been breached by a malicious threat actor. With that in mind, the goal becomes containing the damage and preventing attackers from moving laterally throughout adjacent systems.
Two big drivers have accelerated support for zero trust: the coronavirus pandemic, which created a sudden shift to remote work on unsecured networks and hardware; and damaging national cyberattacks, such as the SolarWinds breach, which revealed just how devastating it can be when a threat actor gains access to IT systems via code that was (wrongly) assumed to be trustworthy.
On the heels of these developments, the administration’s cybersecurity executive order mandates that the federal government “advance toward Zero Trust Architecture” and accelerate its movement toward secure cloud services. In addition, the EO calls for agencies to “centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks” and invest in both technology and personnel to support these massive shifts.
Crucially, the EO directs the National Institute of Standards and Technology to support this transition, in partnership with companies in the private sector.
It’s important to note that no single vendor can sell a complete zero-trust solution. It’s not a single technology; it’s a framework, made up of interlocking technical and business architectures. An effective approach to zero trust is programmatic and organizational, incorporating technology, policy and culture. And for the federal government, it means working with many partners, public and private.
5 Keys to an Effective Zero-Trust Strategy for Federal Agencies
Zero trust may not come naturally to IT teams trained on decades of perimeter-oriented, defense-in-depth strategies that allow nearly unfettered access once a user is “inside.” However, its emphasis on dynamic access control, more robust attributes and identities, and categorizing assets by importance to the mission is a natural fit for government cybersecurity teams, who already think in these terms. To successfully transition to a zero-trust framework, agencies need to keep the following principles in mind:
It’s a culture shift. Zero trust requires a change of mindset, from defending the perimeter to safeguarding assets that matter most. In other words, you’re not trying to keep the barbarians out of the castle, you’re protecting the treasury from attackers who have already infiltrated your defenses and are posing as trusted members of the castle staff, roaming the grounds looking for unlocked doors.
Identify sensitive targets and legitimate users. To implement a zero trust strategy, you need to know where the most valuable data resides. You also need to identify which users need access, where they are (geographically and on the network), what they are trying to access and how they are accessing it. With this information, you can define risk thresholds and tolerances while informing your policy decisions and enforcement.
Define access parameters and roles. Once you know what the targets and users are, it’s time to define acceptable access in terms of parameters and roles. In a zero-trust strategy, you don’t just grant someone permanent superuser access because they’re a database administrator; you might instead create a role that limits access to just one database and allows only specified changes to be made, then assign that role to the database administrator just for the duration of the job.
Collect data and use it. You need data in order to make risk-based decisions and evolve your zero-trust parameters, roles and targets. To be effective, you’ll need to collect this data and draw conclusions from it with a minimum of latency. That can be a challenge, because zero-trust strategies tend to generate far more data than previous cybersecurity approaches, and all of that data is potentially valuable in making decisions.
Embrace automation and adaptive response. Because of the flood of data, security automation is essential. You need systems that can make adaptive responses to threats based on the risk parameters you’ve established. This allows you to balance user functionality (not overloading end users with endless multifactor logins, for instance) with the need for advanced security.
The Value of Public-Private Partnerships for Zero Trust
To meet the government’s requirements and achieve a true zero-trust posture by 2024, federal agencies will need to rely on innovative commercial technology and public-private partnerships to modernize their procedures and eliminate their reliance on legacy IT.
Fortunately, there are excellent models for public-private collaboration already. The Department of Homeland Security’s new Joint Cyber Defense Collaborative, the National Security Agency’s Cybersecurity Collaboration Center, and NIST’s extensive work with vendors are just a few recent examples.
These partnerships help customers harness the data that will assist them in their zero-trust journey by listening to what their data tells them from the standpoint of operations, security, automation and observability.
The administration recognizes the importance of such partnerships, and programs such as the Federal Risk and Authorization Management Program and Defense Department’s Impact Level 5 certification provide a path for rapid onboarding of cloud-based technology within a zero-trust framework.
The Time to Act on Zero Trust in Government Is Now
Adversaries only have to “win” once to cause catastrophic damage. On the other hand, agencies (and vendors) must get it right 100 percent of the time, and must work together in open dialogue to share feedback and constantly improve one another.
With the right partners, anything is possible: even a fundamental transformation to a zero-trust architecture by September 2024. Public-private and private-private partnerships will be critical to success. Automation and scale are the keys to making it achievable and easy on end users.
The administration is serious: This deadline is real. The time to get ready is now.