Zero trust is not a cure-all, but it offers a powerful opportunity for agencies to shore up their cyber defenses.
The federal government is facing mounting pressure to improve its cybersecurity defenses. Attacks in recent years such as the Office of Personnel Management breach and SolarWinds hack have shined a harsh spotlight on the need for agencies to better protect their data.
At the same time, both the public and private sectors have been re-evaluating traditional security approaches that focus on the network perimeter to keep intruders out. There is wide recognition that these tactics alone are no longer sufficient to guard against cybercriminals and insider threats.
Enter zero-trust security, a model that assumes all traffic on a network could be a threat and requires every user be authenticated and authorized before being granted access to any sensitive application or data.
While zero-trust security doesn’t protect networks from every possible attack, it reduces risk, speeds up threat detection and closes gaps in visibility, It is tailor-made for a world where cloud computing and an ever-increasing number of mobile devices are increasing the network attack surface and demanding finer-grain security controls.
Cybersecurity industry veteran John Kindervag is often credited with creating the zero-trust security concept in 2010. Eleven years later, the model appears to be reaching an inflection point in the federal government.
Federal Chief Information Security Officer Chris DeRusha has been a strong advocate for its adoption. Various federal agencies have published guidance in recent months on how to implement the zero-trust model, including a call to action by the National Security Agency and the SP 800-207 blueprint issued by the National Institute of Standards and Technology. The Pentagon appears to be all in, considering establishing a special office dedicated to accelerating zero-trust adoption.
On March 11, President Joe Biden signed the $1.9 trillion American Rescue Plan that included $1 billion for the Technology Modernization Fund, which its overseer, the General Services Administration, said “will give agencies a unique opportunity to make strategic investments to strengthen the federal government’s cybersecurity posture and help agencies develop state-of-the-art tools and infrastructure for a changing world.” Cybersecurity projects, including zero trust efforts, take top priority for resources and funding available through the TMF.
And on May 10, the New York Times reported that federal agencies would be required to take a zero-trust approach to software vendors under a new executive order aimed at strengthening cybersecurity.
Despite all this momentum, zero-trust security has been notorious for baffling and worrying some federal IT staff. It can seem complicated and even overwhelming and evokes nightmares of having to replace existing architectures. The marketing noise around it is confusing, and even the moniker can be easily misconstrued – things with “zero” in their name seldom seem positive unless they’re a no-calorie drink.
I believe such concerns are overwrought and that zero trust represents not only a powerful opportunity for federal agencies to shore up their cyber defenses but to lead the way in showing the private sector as well what zero-trust-done-right looks like.
Zero trust is less about ripping and replacing existing systems and more about an evolution away from perimeter-focused security to a granular approach more suited to today’s computing realities. Implementing zero trust seems less daunting when broken down into three smaller steps that federal IT organizations can take to get started.
- Be up front and honest about the security in place now. How strong is the agency’s current ability to track users and devices, how they move around the network, how they access data and applications, what authentication and authorization platforms are in place?
If an agency is still relying on basic techniques like ID/password, that’s no longer good enough. Additional tactics such as two-factor authentication will help verify that users are who they say they are and what data and applications they should be allowed to access.
- Get a handle on where data resides. Once upon a time, this was easy – data was stored inside an agency’s private data center and thus was easier to secure. But the increasing prevalence of IT architectures with a hybrid of public and private clouds has introduced new computing paths and potential for vulnerabilities.
Zero-trust security requires a deep understanding of the data landscape and strict controls over who can access every piece of information. And that’s not possible without a precise inventory of what information is out there and where it lives.
- Look for opportunities to automate manual processes. It has become untenable for security operations team members to stay on top of the immense amount of data flowing across the network -- some of it relevant to security, much of it not -- and respond to issues in a timely manner.
Thus, a zero-trust architecture should include automation and orchestration technology that intelligently identifies and analyzes all this data and helps security teams rapidly address any threats.
By following these three steps, agencies can get past any FUD and start diving into what clearly is the future of federal cybersecurity. It’s time for every agency to put their trust in zero-trust security.