As the name suggests, there’s no implicit trust in a zero-trust environment; data and resources are granted on a per-session basis. The rigorous enforcement of authentication and authorization makes this a natural fit for hybrid work.
Before adopting zero trust, agencies need to analyze their environments to ensure they have policies and processes in place to make deployment successful. According to the GSA, that starts with identifying a “protect surface,” or the most valuable data, assets, applications and services.
The GSA also emphasizes subject provisioning, an identity and access management process in which users receive appropriate rights and permissions to access resources. The GSA recommends that strong subject provision and authentication policies be in place before moving to a zero trust–aligned deployment. This means agencies need to implement comprehensive security practices for a zero-trust approach to be effective.
“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring and best practices, a [zero-trust approach] can protect against common threats and improve an organization’s security posture by using a managed risk approach,” the National Institute of Standards and Technology notes.
Many organizations already have these elements in their enterprise infrastructure, so this strategy may not require wholesale changes to an agency’s cybersecurity posture, NIST states.