“If you can’t get your arms around identity, you’re never going to be able to address zero trust,” Maricopa County’s CISO Lester Godsey said.
Identity and access management are foundational to adopting and implementing zero trust, said Lester Godsey, chief information security officer for Maricopa County, Arizona.
“If you can’t get your arms around identity, you’re never going to be able to address zero trust,” Godsey said. “Something that’s been kind of a catchphrase in our field is ‘identity is a new perimeter.’ It used to be the traditional firewall -- you have to go through the firewall to consume services. That’s not the case anymore.”
But identity isn’t just personal. It also refers to devices, services and functions.
“You want to know what services need to talk to other services in the environment, so this concept of identity runs the gamut,” Godsey said, adding that the county is working on an identity and access management strategy that will inform its zero-trust approach.
The first phase identified identity gaps and shortfalls, such as the lack of a central repository of identities for interns, volunteers and contractors across the county’s 56 departments. “There wasn’t a single source of truth that would manage all that,” he said. The county is also working to define an identity architecture so residents can use one identity to access all the county services they need.
Identity also connects with asset management. “If you understand the idea of identity extends to devices themselves, that makes the presumption that you understand what assets you have in your environment in the first place,” Godsey said. “That way, you can adequately provision for device identity. We’re undergoing that effort in multiple ways to get our arms around assets in the organization in preparation for this zero-trust approach.”
One way is through what he calls the next-generation network project, in which the county is assessing enterprise network infrastructure to ensure it can meet current and future needs, including zero trust.
Another element is defining the workflow for how agencies give access to resources. Ideally, this will be a largely automated process to avoid taking a week or more to ensure, say, that a new employee is accessing the right services based on their role.
“Going on a zero-trust journey will quickly determine which organizations have eaten their vegetables and which ones haven’t,” Godsey said. “It’s really forced us to reassess what our current environment is, what are capabilities are, what our understanding is and then coming up with a logical game plan.”
State and local governments aren’t mandated to implement zero trust the way federal agencies are, but it’s a solid cybersecurity approach that all jurisdictions should consider, experts say.
“This is something that is going to be pushed down to the states in one fashion or another,” said Heath Mullins, a senior analyst at Forrester and author of “Comply With Federal Zero Trust Mandates,” a report that the research firm published Aug. 25. It offers three steps for adopting zero trust that focus on the federal level, citing a 2021 executive order and a January memo from the Office of Management and Budget that set a zero-trust architecture (ZTA) strategy for federal executive agencies, but that “absolutely apply” to any government entity, Mullins said.
The first step is to gather data, which involves identifying stakeholders, understanding the network and assessing zero trust maturity.
“One of the biggest lifts for any agency of any nature … is understanding what you have,” Mullins said. “It’s really around getting a true understanding of what is in the network, rather than taking guesses based on what could be years-old information contained in a spreadsheet or CSV.”
“Don’t underestimate the amount of time and effort required to do that initial data gathering,” Godsey added. “You have to establish a baseline and understanding of where your maturity is at. I can’t overemphasize that enough, because until you understand where your maturity is at, what you’re capable of and what your capabilities aren’t, you’re never going to be successful.”
The second step is identifying coverage gaps. To do this, the report states, organizations should compare their security stack with the ZTA pillars outlined by federal government and choose vendors that can help.
That second part will be especially important for state and local agencies, which have not been mandated to allocate funding to the effort the way the federal agencies have, Mullins said. They also are likelier to lack staff trained in zero trust.
“From a state perspective, there’s going to be more of a focus on a managed service provider offering and/or additional automation around tasks because they simply don’t have the people or they can’t retain the people,” Mullins said. “It’s a very competitive market right now.”
The third step is to establish a common zero trust reference architecture with identity, devices, networks, applications and workloads as well as data in mind.
In fact, “most states and most municipalities have elements of zero trust already in place,” said Brandon Pugh, senior fellow and policy counsel for cybersecurity and emerging threats at the R Street Institute, a public policy research organization. “They may not realize that, or they may not have it as part of a broader framework, but they have elements. So, for instance, multifactor authentication. That’s often seen as one element of zero trust. A fair amount of jurisdictions have that already.”
But lacking the clear guidance federal agencies have via the Defense Department, Cybersecurity and Infrastructure Security Agency, and National Institute of Standards and Technology, many state and local agencies struggle with what exactly zero trust means, he added. “I think that’s where there’s a burden on the federal government as well as the state government to try to make this as simple as possible and give recommended steps,” Pugh said. “It’s important to remember that zero trust is not a product, and there’s not one rigid framework that you have to follow. It should vary based on the entity.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.