5 steps for building a zero-trust environment

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Kevin Corbett
 

Connecting state and local government leaders

By Kevin Corbett

|

Ongoing attacks demonstrate why agencies must move to a zero-trust model of IT security, where nothing inside or outside the network perimeter is automatically trusted.

A recent Senate report unveiled a decades-long string of cybersecurity failures across a number of federal agencies that led to an exponential increase in cyber incidents. One hacked agency had 500MB of data stolen after an unauthorized device was connected to it network.

The report determined that virtually no agency is safe, an especially alarming conclusion given sensitive information -- including Social Security numbers, medical records and national security data -- government agencies hold.

These vulnerabilities and ongoing attacks demonstrate why agencies must move to a zero-trust model of IT security, where nothing inside or outside the network perimeter is automatically trusted. Everything must be verified before access is granted.

How trust and access have changed over the years

In the past, an employee going rogue and compromising data security was prevented by limitations on where data was stored and where systems could be accessed -- where the mainframes were housed or physical access points for those who were connected to networks, for example.

However, with the cloud, internet of things, mobile access and an increasingly geographically distributed workforce, the security perimeter has become so porous that boundaries have all but disappeared. Just by the nature of applications, devices and systems remote workers need to access, for example, they open up vulnerabilities and multiple points of entry for attackers against which  firewalls and other security measures stand no chance. Complicating this issue is that what was once considered an insider threat may now be  external attackers with stolen  credentials.

Granting trust requires layers of security along with verification and, realistically, continued reverification until zero trust is established.

Zero trust and federal agencies

In the wake of the Office of Personnel Management breach, which has been characterized as the largest government data theft in U.S. history, the House of Representatives suggested steps agencies should take to prevent similar attacks in the future. One of the strongest recommendations was the adoption of a zero-trust framework to protect themselves from similar attacks.

A technology framework, however, is not enough. A recent report from the American Council for Technology-Industry Advisory Council found that while zero-trust technologies “are available and lend themselves to incremental installation,” there needs to be greater support from the mission side of federal agencies.

Here are five steps that government agencies can take to start building a zero-trust environment.

Step 1: Take a risk-based approach to security. Agencies should first analyze the risks they face and aim to secure the last line of defense -- privileged access -- since it is the gateway through which both internal and external nefarious characters try to gain access. A programmatic risk assessment of privileged access should make it clear how an agency could benefit from a zero trust model.

Step 2: Deploy zero trust with multistep authentication and secure Tier 0 assets. Tier 0 assets are an organization's most sensitive assets because they control identities, Active Directory, domain controllers and their associated administrative functions.  These assets should be protected with multifactor authentication and other processes -- like step-up authentication and managerial approval before allowing access to critical assets and resources.

Even when agencies must grant temporary access to external vendors or third-party applications, continuous multistep authentication ensures authorized privileged users are on secure devices when accessing their accounts as well as Tier 1 assets like enterprise servers and applications.

Step 3: Secure core privileges on applications, devices and endpoints. Attackers who get a foothold on an endpoint through a privileged account and its associated credential will become indistinguishable from a fully validated and trusted user.  Application control -- implementing restrictions that only trust specified applications, identify all human and machine users and discover and classify any and all hardware and software assets within the agency -- is critical. 

Agencies also need a grasp of the devices their employees use, the health of those devices and which software versions are being run. Determining levels of trust associated with devices and endpoints are crucial to implementing zero trust.

Step 4: Secure and monitor the privileged pathway. Key indicators of malicious activity are often overlooked or mischaracterized as benign due to an implicit trust that malicious activity will be flagged by detection mechanisms. That makes visibility especially important with zero trust. Monitoring the privileged access pathway prevents malicious insiders and external attacks from expanding their attack.

By placing tight controls around what end users are accessing, agencies can respond and remediate attacks before suffering irreparable damage. These controls also create isolation layers between endpoints and enable secure connections for end users connecting to critical assets and resources.

Step 5: Implement granular attribute-based access controls. Knowing which individuals or applications have access to what data and understanding the actions users and apps can  perform allows agencies to combine policy with specific user criteria to enforce attribute-based access control.

Beyond access control in the traditional sense, this also means placing controls around privileged task-related activities and management. Agencies should create active controls that allow privileged users to execute certain pre-defined tasks while blocking activities that present a high risk. This foundational feature of the zero trust model must also be applied to applications.

Implementing zero trust can be done in increments, but it should start with agencies incorporating privileged access security controls around their most sensitive assets.

NEXT STORY: Stolen fingerprints could spell the end of biometric security – here’s how to save it

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.