Apr 18 2022

5 Questions to Ask as You Plan Your Zero-Trust Journey

Agencies can reach the right cybersecurity destination by following these guidelines.

Zero trust is essential for advancing cybersecurity. It’s vital that everyone with responsibilities involving federal technology understand the basics of zero trust, whether or not you work directly in cybersecurity, because it’s going to affect how you do your job.

All federal agencies will transition to a zero-trust architecture in the next few years, and top officials are making sure they’re following the same path to that goal. This is evident from the release of Executive Order 14028, Improving the Nation’s Cybersecurity, in May 2021, along with the launch of the White House’s zero-trust cybersecurity website and many other federal efforts already underway.

The concept of zero trust is complicated and relatively new, so it’s difficult to define and explain to neophytes. This article answers some of the most common questions that you may be asking — or that others may be asking you — about zero trust. 

1. Is Zero Trust a Technology I Can Buy Out of the Box?

It’s not a technology; it’s a principle. Twenty years ago, the security principle everyone was talking about was “defense in depth.” And while defense in depth was buzzed about back then, there was substance behind it.

The same is true today for zero trust: It’s substance, not hype. And it’s likely to be with us for many years to come, just as defense-in-depth still is.

The principle of zero trust is often summarized as “trust, but verify.” While that’s true, it oversimplifies the concept. For example, authenticating a user’s identity only through a password is a form of verification, but a weak one. You can’t be confident that an attacker didn’t guess or steal that password and use it. On the other hand, rigorously verifying absolutely everything all the time means bringing work to a near-standstill.

Zero trust is really “trust, but verify in a risk-based manner.” That is, an agency can decide how rigorously to verify identities, the integrity of software and hardware, and other facets of trust based on possible threats and vulnerabilities and their likelihood and potential impact.

Click the banner to get access to customized federal IT content by becoming an Insider.

2. How Expensive Is It to Implement Zero Trust?

Implementing zero trust requires substantial one-time and ongoing expenditures, but the hope is that the spending will reduce other costs by helping to prevent data breaches and other incidents.

Zero trust involves the entire technology stack, from physical hardware and networks to applications and users. Neglecting any layer of the stack in your zero-trust implementation will make that layer the new weak link for attackers to target.

Going to zero trust isn’t something you can do all at once. It requires a transition over time; in most cases, that can be years. That makes the expense a little easier to handle, but it still may be a major strain. To help with this, make sure that zero-trust support is a consideration not only in your future technology procurements, but also in your internal technology projects.

3. How Much Retraining Will My Workers Need?

Security professionals will need additional training to understand the concepts, details and implications of zero trust, and how everything must work together to achieve it. Some security professionals may need training in particular types of technologies often used in zero-trust implementations, such as secure access service edge (SASE) solutions. Networking professionals may need similar training, as zero trust may require network architecture changes.

System administrators, technical support staff and others with security administration or support duties will also need training, mainly on basic zero-trust concepts and on any changes to the tools they use or the way they will do their jobs. Other technology and information workers may need additional training, but only on the specific tools, systems or other resources they are responsible for.

End users will also need some retraining, but much of this can be done in small pieces as necessary, such as teaching them how to use multifactor authentication instead of just a password, or how to use a SASE solution instead of a VPN for remote work. Sometimes the new way will even be easier than the old way.

LEARN MORE: The FedTech CapITal blog provides additional information on zero trust deployment.

4. Will Zero Trust Integrate with Existing or Legacy Technology?

For the most part, yes. For example, many operating systems already support the identification, authentication and authorization/access control features needed for zero trust. Much of your existing technology may already support zero trust, although your agency might not yet be using those features.

Legacy technology is less likely to be able to support zero trust directly, but that doesn’t necessarily mean you should plan to phase it out just for the sake of zero trust. In fact, you may find that you can use zero-trust concepts to provide stronger security for your legacy systems and software. For example, an agency can keep legacy resources strictly isolated from all others except when access is absolutely necessary and you can establish sufficient confidence in the identity and integrity of the user, device, service or other resource seeking access.

5. How Can I Add Zero Trust to an Ongoing Cybersecurity Upgrade?

Zero trust is heavily based in knowing what your digital resources are, including accounts, devices, data, systems, software, hardware and services, and having reliable mechanisms for verifying their identities and integrity. In any planned cybersecurity upgrade, pay particular attention to implementing strong authentication and the principle of least privilege. They will advance you along your zero-trust journey, and they’re sound practices to follow regardless of whether you’re pursuing zero trust.

Also look for opportunities to replace older generations of cybersecurity solutions with newer ones. An example is replacing legacy VPN solutions with more flexible solutions that better support zero trust, such as SASE.

Every journey begins with a single step. Take your first step today.

Bellott/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.