Federal agencies implementing a zero trust approach to cybersecurity accept breaches and hacks as inevitable. Instead of concentrating all resources on preventing cyberattacks, these agencies also execute strategies to mitigate attacks when they happen.
Identity access management and cloud computing are two key aspects of zero trust. Many federal agencies already have the technologies and expertise to implement a zero trust approach.
“Zero trust leverages technology you already have and are looking to deploy, like identity credentialing and access management,” said Tony Plater, CISO of the Department of the Navy, during an FCW Workshop on zero trust.
But zero trust still requires a “fundamental paradigm shift” in how federal agencies think about cybersecurity, he added.
“We now operate under the assumption that the network is breached or will be breached at some point,” he said, “while limiting security breaches from internal human error. I like to think [of zero trust as] mission assurance — from a data-sharing perspective, zero trust strategy allows [us] to manage access rules for users and devices across the department. From the enterprise center, the flexibility of zero trust allows us to implement critical network technologies — from identity and access management to cloud computing.”
Zero trust isn't anything new, said Alma Cole, CISO of Customs and Border Protection, but it has become more popular as federal agencies have honed and targeted their cybersecurity practices to be more precise, controlled and effective.
“At its core, it's taking a lot of principles that have been around for a long time and implementing them well, for a change,” he said. “You're talking about taking that security principle of least privilege access, rolling that out, and actually implementing that in a comprehensive way across your environment and users. Obviously implementing that in a comprehensive way is really challenging. Making it more adaptable as the environment changes…now we have new technologies that help us get there.”
Supporting the uptick in zero trust popularity is the shift away from legacy IT systems to the cloud. Because zero trust assumes no user on a network is inherently trustworthy, it is well suited for a cloud environment.
“Under the legacy VPN model, you have a trusted user, hopefully on a trusted device. It varies whether you're checking on that, [and you] drop them on the internal network and they have free rein to everything in there,” Cole said. “The new model now, taking advantage of Secure Access Service Edge (SASE), you bring users into a control plan within the cloud and have huge abilities to link up the identity of the device and user into explicit applications they can access, and explicitly configure those users to go in just for those systems and only present those systems as options. That SASE model, when we're doing that, and shift the way we connect in[to the network], that gets us way, way ahead with zero trust. We're really isolating those endpoints away from each other and cutting off the ability of malicious hackers because they literally cannot see any other host because they're not a big flat network.”
Teleworking also benefits from a zero trust approach to security, Plater said, because not all federal employees connect to the cloud from government devices, and peripheral devices like home routers and printers can also pose cybersecurity risks to the federal agency’s cloud.
“It changes where, when and how data is being accessed,” Plater said. “By adopting zero trust, we can benefit by reducing the attack surface, limit lateral movement, and decrease the demand on security monitoring teams so they can focus on staying ahead of attackers and not chasing them down.”
No matter what the teleworking or technology makeup of a federal agency, implementing zero trust ultimately comes down to a specific mindset. There isn’t one product or service that facilitates zero trust. Any federal agency can revamp its cybersecurity strategy with a zero trust approach.
“Zero trust assumes something is going to go wrong,” Cole said. “You're assuming that at some point, adversaries get through, so you have to have the right structure built up to detect when that happens and respond when that happens. You're doing the utmost work possible to isolate each host from each other.”