Trust shouldn't be cheap in government IT systems

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Patrick Sullivan,
Manager, Security Services Team
 

Connecting state and local government leaders

By Patrick Sullivan

|

To protect the integrity of the election process, agencies must adopt a zero trust security posture.

As midterms loom at a critical juncture in the political landscape -- one fraught with distrust from cyber tampering by foreign powers -- government agencies at all levels are taking a closer look at cybersecurity around the voting systems.

New York state is currently conducting election security drills with the help of the Department of Homeland Security to restore voter confidence in the elections. The U.S. Election Assistance Commission is revising the Voluntary Voter System Guidelines -- the recommended standards for voting systems addressing functionality, accessibility, and security -- which were last updated in 2005. Following the recommendations of a congressional investigation, local elections officials are removing Wi-Fi connectivity from all voting machines.

This flurry of activity shows that government agencies are taking action to defend against the digital  threats they face from hackers who scan the internet looking for opportunities to break into private systems by exploiting vulnerabilities in everything from servers to smart TVs. With thousands of domains regularly probed for the existence of newly uncovered vulnerabilities, government agencies are realizing that trust is a commodity they cannot give away. To protect the integrity of the election process as well as all the other data government holds, agencies must adopt a zero trust security posture.

What is zero trust?

A zero trust model for security architecture is exactly what it sounds like. It assumes that every network segment, whether under agency control or on  the public internet, is hostile and untrusted.

There was a time when security architects assumed that their internal networks could be safe and trusted. When computers were all deskbound and hardwired to the corporate network, users who were logged  into the enterprise network were assumed to be trusted -- whether  they were SysAdmins, an accountants or an external contractors. As users have moved outside the walls of the office and applications have moved to the cloud, the assumptions driving these models need to be questioned. 

Furthermore, the notion that perimeter security devices like firewalls can keep internal networks safe from penetration and worthy of being trusted has repeatedly been proved incorrect. A true zero trust model gives each user exactly what he or she needs to complete the task at hand, and nothing more.

How to apply zero trust in government agencies

Because of the sensitive data under their care, agencies are instilled with a sense of urgency around protecting their data.  But the handicap of bureaucracy and legacy systems can cancel out that benefit. That said, implementing a zero trust security model is not out of reach for government . Agencies should not try to make this shift all at once. Instead they should find a strategic process that allows them to make  solid, steady progress to a zero trust model.

Zero trust may be a radical change from the way agencies have set up their networks. But it is also built around a core concept as old as security itself:  that of “least privilege,” or giving users as little access as possible without impacting how they do their jobs.  Adopting this model requires as much a shift in philosophy as in technology. A zero trust culture means  that just because a user has network access does not mean he can be trusted with every asset in an agency. Front desk clerks should not have network access to backend databases simply as a result of being located on a trusted internal network segment. Nor should contractors working with an agency's billing system have a path to employee records just because they have network access through a VPN.

Adopting a solution that helps IT teams give employees access to all the applications or systems they need at the right time without relying on an “all or nothing” approach across internal networks is crucial for success.

By moving access decisions up the protocol stack well above the network layer, zero trust models place much more reliance on strong authentication and are rooted in a reliable understanding of user identity.  These identity-aware approaches make it much easier for security architects to support least privilege, making it easy to ensure access to applications matches the requirements for access based on the individual's role.

The integrity of the election process depends on citizens being able to trust the results that come out of it. Ironically, this requires a technology system that doesn’t trust anyone. The old mantra of “trust, but verify” must be replaced with “never trust, and always verify.” Today, there is no consistent approach to election security across the agencies responsible for ensuring it. Whatever policies become standard should include the principles of zero trust.

NEXT STORY: IRS seeks AI-based threat detection

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.