Dec 21 2022

What Agencies Should Know About Establishing Zero Trust in a Hybrid Work Environment

Agencies need to analyze their environment and ensure they have the proper policies and processes in place to make zero-trust deployments successful.

Like professionals in so many other sectors, it seems clear that federal workers want more remote work options, even as people return to in-person operations. A hybrid work environment could be an effective compromise, and it’s a direction that federal agencies are considering. Yet, hybrid work comes with specific security challenges because some employees are off the network and using personal machines.

One way to mitigate hybrid work threats is to adopt a zero-trust approach to security, which eliminates any implicit trust and continuously validates every stage of a digital interaction. So, what do federal agencies need to consider before establishing zero-trust security in a hybrid work environment?

Click the link to receive curated content by becoming an Insider.

Cybersecurity Challenges in Hybrid Work

Hybrid work presents unique security challenges, one of which is that a dispersed workforce multiplies the number of endpoints that agencies need to secure. In other words, hybrid work expands an organization’s attack surface, meaning vital data and systems have never been more vulnerable without the right security posture.

This is particularly true in a hybrid environment, where employees use devices both on- and off-premises. Devices may be more easily compromised off-premises, and agencies can face major breaches if those devices are then connected to their networks. The proliferation of smart devices at home only exacerbates the issue, as Glenn Johnstone, Vodafone New Zealand’s head of information and communications technology practices, pointed out at a recent CIO roundtable.

“The sheer number of smart devices in our lives means we are more vulnerable than we think. We’re connected through our phones, the printer, our cars, fridges, fish tanks — and any connection can be an issue. It means we need security across all devices in the office, at home, anywhere and everywhere your people are connected,” Johnstone said.

Hybrid work also means more reliance on cloud-based applications, which provide a much larger attack service for bad actors if not properly secured.

EXPLORE: How upgraded videoconferencing equipment helps provide remote serivces.

What Zero Trust Can Do for a Hybrid Workplace

A zero-trust security posture is designed to provide added security in modern networks, which have cloud-based assets and remote users. As the General Services Administration explains, zero trust shifts focus away from protecting the network perimeter and prohibits access until the access request, identification of the requestor and requested resource are validated. After a request is granted for accessing a zero-trust network, security teams continuously monitor how the organization uses and distributes the data.

As the name suggests, there’s no implicit trust in a zero-trust environment; data and resources are granted on a per-session basis, with no exceptions. The rigorous enforcement of authentication and authorization makes zero trust a natural fit for hybrid work.

DISCOVER: How federal agencies’ remote work technology benefits other operational areas.

Preparing for Zero-Trust Deployment in a Hybrid Environment

Before adopting zero trust, agencies need to take steps to analyze their environment and ensure they have the proper policies and processes in place to make deployment successful. According to the GSA, the first step is to identify a “protect surface,” which contains the agency’s most valuable data, assets, applications and services. The protect surface should be smaller than the entire attack surface because only critical assets are included.

“In zero trust, by defining a protect surface, we can move controls as close as possible to that protect surface to define a micro-perimeter. With our next-gen technology functioning as a segmentation gateway, we can segment networks,” wrote John Kindervag, a cybersecurity expert known for creating the zero-trust model, in a Palo Alto Networks blog post.

The GSA also points out the importance of subject provisioning, an identity and access management process in which users are given appropriate rights and permissions to access an organization's resources. The GSA actually recommends that strong subject provision and authentication policies be in place before moving to a zero trust–aligned deployment. This means agencies need to implement comprehensive security practices for a zero-trust approach to be effective.

“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach,” the National Institute of Standards and Technology noted.

NIST points out that there doesn’t need to be wholesale changes in an agency’s cybersecurity posture, considering many organizations already have these elements in their enterprise infrastructure.

fotostorm/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT