Security

Zero Trust Isn’t Just a Goal, It’s a Mindset

Bringing employees on board with the concept is as critical as the technology.

Craig McCullough is senior vice president of public sector sales at Riverbed.

The term “zero trust” started as a buzzword, but today it’s regarded as a serious, valid cybersecurity tactic — so much so that the Biden administration issued an executive order last year requiring federal agencies to begin zero-trust adoption with steps outlined by the National Institute of Standards and Technology.

Zero-trust security is based on the idea that no device, application or individual user should be assumed to be trustworthy, and that every user and system trying to access any resource within a secure network environment should be tested and validated.

Agencies aspiring to reach a zero-trust architecture should implement a proactive stance to monitor, detect and respond to threats, ideally before they strike.

Zero trust is particularly important within the public sector, be that federal, state or local government, because of the tremendous responsibility to protect data.

As governments increasingly collaborate with private industry, using third-party technologies and relying on a workforce that is largely working remotely, it is more difficult than ever to ensure the security posture of all devices connected to a network.

Accordingly, zero trust today means adopting a “don’t trust, verify; don’t trust, reverify” approach, with constant monitoring, remediation and forensics, all while increasing the productivity of an organization’s users, applications and networks.

Last year’s executive order requires agencies to integrate zero-trust practices by the end of fiscal year 2024. Even with this date in mind, it is important to realize that zero trust is an aspiration rather than an end state.

No state of network security will ever stop actors from attempting to access government systems, which means that agencies will never fully achieve zero trust. Instead, they should focus on establishing metrics and milestones that consistently measure progress toward that posture.

To learn more about zero trust, click on the image and become an Insider.

What to Consider in a Zero-Trust Implementation

It’s great to talk about a zero-trust model, but it’s another thing to get there. As agencies begin implementing this approach, there are a few things to consider.

Agencies are making strong efforts to comply with new mandates as they are issued; however, they often stumble in achieving full compliance due to lack of funding. For agencies to effectively follow any mandates, there must be an avenue for adequate funding.

One source is the Technology Modernization Fund, created in 2017. It provides agencies with necessary funding for cybersecurity and IT modernization projects, as well as the technical expertise and training to ensure that projects are successful. Several of the 26 funded programs focus on cybersecurity, including zero-trust projects at the Department of Education, the Department of Labor and the General Services Administration.

With the funds set to be exhausted this fiscal year, it’s imperative that Congress allocate the administration’s requested $300 million in additional funding so agencies can continue their journey of transforming their legacy architectures to meet the security threats of both today and tomorrow.

LEARN MORE: How are federal CIOs thinking about the Technology Modernization Fund?

Nurture a Zero-Trust Culture Among Employees

Personnel awareness is another critical component of maintaining a secure environment, and agencies must be certain that their employees are committed to supporting a zero-trust mindset.

Zero trust is a culture that must be nurtured until it becomes second nature. For instance, many drivers didn’t begin wearing seatbelts right away every time they got behind the wheel. It took time for this safety behavior to become a habit through constant reminders and education.

Zero trust should be regarded the same way. It needs to resonate through every decision within an organization, and it requires that leaders consistently remind and educate their personnel.

One way leadership can do this is by testing employees through internal phishing email awareness efforts and requiring compliance and basic cybersecurity training to ensure personnel are meeting standards.

Most government agencies’ IT networks have been built over many years with hardware and software from different providers. Knowing what’s going on in every part of the system is an extremely challenging task.

The journey to zero trust requires examining legacy technologies and aligning them with modern security measures. A successful zero-trust model should try to leverage an agency’s existing technologies. However, some tools and applications are just not fully securable, which underscores the importance of adequate funding for agencies, in this case to enable “rip and replace” where necessary.

DIVE DEEPER: See how agencies are working to meet cybersecurity goals.

Move to Dynamic Adaptability and Unified Observability

In support of a zero-trust mindset, agencies should also shift to practices that allow zero trust to be functional within their networks and support increased cybersecurity.

We no longer operate in a world where there is a finite list of potential threats to networks, and we cannot prepare for every type of attack. What matters is that a security posture has been built to support adaptive and dynamic reactions to threats as they appear.

The increase in endpoints across Internet of Things technology, data centers and personal devices continues to complicate monitoring all aspects of a network. Also, 85 percent of government organizations are accelerating their digital transformation efforts, including increasing Software as a Service and cloud adoption, according to Riverbed’s Hybrid Work Global Survey 2021. This means more endpoints and more complexity.

To dynamically adapt to any threat within any architecture, an agency needs to have complete visibility into what is happening on that network, endpoint, application or packet. Unified observability provides that level of comprehensive visibility, transforming the data collected into actionable insights.

Through culture shifts among personnel, reinforcement from leadership and unified observability, agencies can proactively stop attacks and use insights to learn from and defend against such threats in the future.

It’s important to keep in mind that this is an ongoing endeavor. Never forget that zero trust is a mindset that must be pursued and dynamically adjusted each and every day.

natrot/Getty Images