Dec 14 2021

2022 Tech Trends: How to Tackle Zero Trust in a Government Environment

Zero trust offers a way to significantly reduce security risks, and agencies are planning methods to deploy the new architecture.

Zero-trust cybersecurity is on the rise — and with good reason. By adopting a “trust, but verify” strategy, organizations gain greater control over visibility and access across their networks, in turn reducing total risk.

Federal agencies, newly required to institute the practice, are following suit. The Biden Administration’s executive order on cybersecurity specifically calls out “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”

As part of its move toward security modernization, the federal government is looking to adopt security best practices that have proved effective in other sectors, including the shift to zero-trust architecture. But what does this mean in practice, and what can federal agencies expect for zero-trust frameworks in 2022?

Those frameworks won’t be implemented immediately; the Office of Management and Budget is aiming for 2024. But OMB has targeted five key areas for improvement, including user identity, device management, network monitoring, application security and data control.

Click the banner below to access all of our Tech Trends 2022 coverage.

Zero Trust May Create a Huge Boost for Security Effectiveness

What exactly does zero trust mean at a federal government level? The concept itself is simple: Any traffic on a network — whether internal or external — is considered untrustworthy until it’s been verified and users have been authenticated. Implemented effectively, zero trust is expected to boost security efficacy by more than 144 percent, according to one report.

In practice, the shift to zero trust is complicated by two factors: Federal agencies are now dealing with massive data volumes from a growing variety of sources. At the same time, the White House has directed agencies to support the continuation of hybrid work policies where possible.

The result is a traffic-heavy network environment that requires agile and adaptable tools capable of detecting and verifying traffic from any source. It also demands the deployment of solutions that let government IT teams quickly identify problem areas and take necessary action.

So, what’s on the horizon for zero trust in the federal government?

First up is the recognition that zero trust doesn’t exist in isolation. “You need to come up with new cyber response playbooks, and you need to start looking at endpoint detection,” says Christopher Copeland, CTO for Accenture Federal Services.

“You’re going to touch everything, from your physical devices to your network to your infrastructure, your data, your applications, and your authentication and access controls,” he adds.

The result is an adoption framework that doesn’t just depend on best-of-breed technologies, but also benefits significantly from the assistance of experienced partners who can help federal organizations pinpoint ideal starting points for zero-trust solutions.

RELATED: Follow these best practices from CDW to build a zero-trust architecture.

So Many Cyber Policies, So Little Time

Next up is cultural impact. According to Marlin McFate, public sector CTO of Riverbed Technology, the sheer number of policy and process inspection points across federal networks means that in the near term, agencies “will only succeed in implementing portions of zero trust.”

As a result, cultural uptake becomes critical. If staff aren’t on the same page as executives when it comes to the deployment and use of zero-trust solutions across the agency, it becomes increasingly difficult to ensure operational momentum.

McFate notes that while complex federal government networks have always faced deficiencies in application collaboration and adoption that introduced security risk, “there weren’t enough compelling events to push us over into something new.”

The perfect storm of evolving attack vectors and pandemic pressures, however, offered the impetus for fundamental change.

Click the banner to get access to customized cybersecurity content by becoming an Insider,

But embracing the benefits of zero trust doesn’t happen automatically. To ensure agencies are heading in the right direction, four components are criterial:

  • Tactical implementation: When it comes to zero trust, Copeland says, “you need to understand what it is and what it isn’t. You need to understand how the model should be incorporated and have a frank understanding of where the maturity of your agency or department is in the zero-trust mindset.” Armed with this information, agencies can develop a tactical approach to zero-trust implementation by targeting high-risk access points or services.
  • Data-centric protection: Kyle Michl, chief innovation officer for Accenture Federal Services, notes that with zero trust, “your cybersecurity is now data-centric. What are the things you want to tackle first, and what has the biggest impact?” He makes it clear that this type of protection isn’t one-and-done; instead, it’s a journey. “This is not happening in six months,” he says. “This is a transformation journey.”
  • Work-from-anywhere access: Copeland points to the emergence of technology frameworks such as Cloud 3.0, which enables staff to work anytime, anywhere. And with federal agencies leveraging more multicloud, multiregion solutions, it’s critical to address the need for zero trust operations across highly distributed and differentiated endpoints.
  • Services at the edge: “Things like 5G computing at the edge, analytics at the edge and AI at the edge are going to take center stage,” says Copeland. This creates an opening for solutions that underpin larger zero-trust efforts, such as secure access service edge initiatives, which provide federal agencies both the visibility and agility required to address potential security challenges.

Citizens and staff now expect the same level of responsiveness and accessibility from federal frameworks that they see across consumer-facing services. But with increased ease of use comes increased security risk. Zero-trust solutions that let agencies actively protect key data will be crucial.

“I remember when we were just worried about distributed denial of service attacks,” says Copeland. “But the exponential velocity at which cyberthreats are occurring — along with the scale and impact they have — means they’re only going to get more impactful if not addressed.”

EXPLORE: How are agencies executing on the cybersecurity executive order?

ILLUSTRATION BY RYAN OLBRYSH

aaa 1

Register