What to Consider in a Zero-Trust Implementation
It’s great to talk about a zero-trust model, but it’s another thing to get there. As agencies begin implementing this approach, there are a few things to consider.
Agencies are making strong efforts to comply with new mandates as they are issued; however, they often stumble in achieving full compliance due to lack of funding. For agencies to effectively follow any mandates, there must be an avenue for adequate funding.
One source is the Technology Modernization Fund, created in 2017. It provides agencies with necessary funding for cybersecurity and IT modernization projects, as well as the technical expertise and training to ensure that projects are successful. Several of the 26 funded programs focus on cybersecurity, including zero-trust projects at the Department of Education, the Department of Labor and the General Services Administration.
With the funds set to be exhausted this fiscal year, it’s imperative that Congress allocate the administration’s requested $300 million in additional funding so agencies can continue their journey of transforming their legacy architectures to meet the security threats of both today and tomorrow.
Nurture a Zero-Trust Culture Among Employees
Personnel awareness is another critical component of maintaining a secure environment, and agencies must be certain that their employees are committed to supporting a zero-trust mindset.
Zero trust is a culture that must be nurtured until it becomes second nature. For instance, many drivers didn’t begin wearing seatbelts right away every time they got behind the wheel. It took time for this safety behavior to become a habit through constant reminders and education.
Zero trust should be regarded the same way. It needs to resonate through every decision within an organization, and it requires that leaders consistently remind and educate their personnel.
One way leadership can do this is by testing employees through internal phishing email awareness efforts and requiring compliance and basic cybersecurity training to ensure personnel are meeting standards.
Most government agencies’ IT networks have been built over many years with hardware and software from different providers. Knowing what’s going on in every part of the system is an extremely challenging task.
The journey to zero trust requires examining legacy technologies and aligning them with modern security measures. A successful zero-trust model should try to leverage an agency’s existing technologies. However, some tools and applications are just not fully securable, which underscores the importance of adequate funding for agencies, in this case to enable “rip and replace” where necessary.
Move to Dynamic Adaptability and Unified Observability
In support of a zero-trust mindset, agencies should also shift to practices that allow zero trust to be functional within their networks and support increased cybersecurity.
We no longer operate in a world where there is a finite list of potential threats to networks, and we cannot prepare for every type of attack. What matters is that a security posture has been built to support adaptive and dynamic reactions to threats as they appear.
The increase in endpoints across Internet of Things technology, data centers and personal devices continues to complicate monitoring all aspects of a network. Also, 85 percent of government organizations are accelerating their digital transformation efforts, including increasing Software as a Service and cloud adoption, according to Riverbed’s Hybrid Work Global Survey 2021. This means more endpoints and more complexity.
To dynamically adapt to any threat within any architecture, an agency needs to have complete visibility into what is happening on that network, endpoint, application or packet. Unified observability provides that level of comprehensive visibility, transforming the data collected into actionable insights.
Through culture shifts among personnel, reinforcement from leadership and unified observability, agencies can proactively stop attacks and use insights to learn from and defend against such threats in the future.
It’s important to keep in mind that this is an ongoing endeavor. Never forget that zero trust is a mindset that must be pursued and dynamically adjusted each and every day.