Identity as the new perimeter: How one county launched its zero trust initiative

Teera Konakan/Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Stephanie Kanowitz,
Contributor, Route Fifty
 

Connecting state and local government leaders

By Stephanie Kanowitz

|

“If you can’t get your arms around identity, you’re never going to be able to address zero trust,” Maricopa County’s CISO Lester Godsey said.

Identity and access management are foundational to adopting and implementing zero trust, said Lester Godsey, chief information security officer for Maricopa County, Arizona.

“If you can’t get your arms around identity, you’re never going to be able to address zero trust,” Godsey said. “Something that’s been kind of a catchphrase in our field is ‘identity is a new perimeter.’ It used to be the traditional firewall -- you have to go through the firewall to consume services. That’s not the case anymore.”

But identity isn’t just personal. It also refers to devices, services and functions.

“You want to know what services need to talk to other services in the environment, so this concept of identity runs the gamut,” Godsey said, adding that the county is working on an identity and access management strategy that will inform its zero-trust approach. 

The first phase identified identity gaps and shortfalls, such as the lack of a central repository of identities for interns, volunteers and contractors across the county’s 56 departments. “There wasn’t a single source of truth that would manage all that,” he said. The county is also working to define an identity architecture so residents can use one identity to access all the county services they need. 

Identity also connects with asset management. “If you understand the idea of identity extends to devices themselves, that makes the presumption that you understand what assets you have in your environment in the first place,” Godsey said. “That way, you can adequately provision for device identity. We’re undergoing that effort in multiple ways to get our arms around assets in the organization in preparation for this zero-trust approach.”

One way is through what he calls the next-generation network project, in which the county is assessing enterprise network infrastructure to ensure it can meet current and future needs, including zero trust.

Another element is defining the workflow for how agencies give access to resources. Ideally, this will be a largely automated process to avoid taking a week or more to ensure, say, that a new employee is accessing the right services based on their role.

“Going on a zero-trust journey will quickly determine which organizations have eaten their vegetables and which ones haven’t,” Godsey said. “It’s really forced us to reassess what our current environment is, what are capabilities are, what our understanding is and then coming up with a logical game plan.”

Zero-trust advice

State and local governments aren’t mandated to implement zero trust the way federal agencies are, but it’s a solid cybersecurity approach that all jurisdictions should consider, experts say. 

“This is something that is going to be pushed down to the states in one fashion or another,” said Heath Mullins, a senior analyst at Forrester and author of “Comply With Federal Zero Trust Mandates,” a report that the research firm published Aug. 25. It offers three steps for adopting zero trust that focus on the federal level, citing a 2021 executive order and a January memo from the Office of Management and Budget that set a zero-trust architecture (ZTA) strategy for federal executive agencies, but that “absolutely apply” to any government entity, Mullins said.

The first step is to gather data, which involves identifying stakeholders, understanding the network and assessing zero trust maturity. 

“One of the biggest lifts for any agency of any nature … is understanding what you have,” Mullins said. “It’s really around getting a true understanding of what is in the network, rather than taking guesses based on what could be years-old information contained in a spreadsheet or CSV.”

“Don’t underestimate the amount of time and effort required to do that initial data gathering,” Godsey added. “You have to establish a baseline and understanding of where your maturity is at. I can’t overemphasize that enough, because until you understand where your maturity is at, what you’re capable of and what your capabilities aren’t, you’re never going to be successful.”

The second step is identifying coverage gaps. To do this, the report states, organizations should compare their security stack with the ZTA pillars outlined by federal government and choose vendors that can help.

That second part will be especially important for state and local agencies, which have not been mandated to allocate funding to the effort the way the federal agencies have, Mullins said. They also are likelier to lack staff trained in zero trust.

“From a state perspective, there’s going to be more of a focus on a managed service provider offering and/or additional automation around tasks because they simply don’t have the people or they can’t retain the people,” Mullins said. “It’s a very competitive market right now.”

The third step is to establish a common zero trust reference architecture with identity, devices, networks, applications and workloads as well as data in mind.

In fact, “most states and most municipalities have elements of zero trust already in place,” said Brandon Pugh, senior fellow and policy counsel for cybersecurity and emerging threats at the R Street Institute, a public policy research organization. “They may not realize that, or they may not have it as part of a broader framework, but they have elements. So, for instance, multifactor authentication. That’s often seen as one element of zero trust. A fair amount of jurisdictions have that already.”

But lacking the clear guidance federal agencies have via the Defense Department, Cybersecurity and Infrastructure Security Agency, and National Institute of Standards and Technology, many state and local agencies struggle with what exactly zero trust means, he added. “I think that’s where there’s a burden on the federal government as well as the state government to try to make this as simple as possible and give recommended steps,” Pugh said. “It’s important to remember that zero trust is not a product, and there’s not one rigid framework that you have to follow. It should vary based on the entity.”

Stephanie Kanowitz is a freelance writer based in northern Virginia.

NEXT STORY: Deep data inspection: The overlooked element in government data security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.