Shawn Elliott,
President, Federal Solutions
We all know that cybersecurity is a top priority for all federal agencies. In Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, the President initiated a sweeping government wide effort to ensure that baseline security practices are in place. A key component of this EO was to “develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) outlined in standards and guidance…and include a schedule to implement them”. (NISTs specific framework is SP-800-207)
So Zero Trust is coming tofor federal agencies, but is it the silver bullet for cyber security?
What Does Zero Trust Mean?
A large part of the recent increase in cybersecurity risk comes from the accelerated adoption of cloud technologies, remote work and BYOD (bring your own device) programs. These technologies fundamentally blur the lines of where an agency’s network starts and ends. Zero Trust assumes that there is no traditional network edge and shifts an organization’s security approach to one that is universally proactive. This is done by requiring all users to be authenticated, authorized and continuously validated prior to being granted or retaining access to applications, data and resources. Per NIST, “Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
Zero Trust is, in theory, a more secure approach to cybersecurity in modern, connected network environments. However, that security comes at a cost – in terms of needed cybersecurity tools, expertise, reduced flexibility, time to authorization and user experience. It makes your applications and network more secure – but more difficult for you to accomplish your agency’s mission quickly.
The Zero Trust Tradeoff
This tradeoff – between speed and security – is at the core of almost every cybersecurity measure. Users could do their jobs quicker if they didn’t need credentials to access applications or resources – but the result of that approach would be catastrophic. In the case of Zero Trust, threats still loom from ineffective patch management, denial of service attacks (DoS), network outages and stolen credentials. It is not a silver bullet for cybersecurity, it comes with risk considerations as with any cybersecurity measure.
So are the tradeoffs worth it?
In our opinion, absolutely. There’s a reason that private industry is moving to this model – and developing tools and capabilities to reduce the impact of these tradeoffs. We believe it should be a core foundation of an effective cybersecurity posture. It’s a natural evolution of our society’s approach to cybersecurity in the age of the cloud and one any entity should consider regardless of government mandates.
How Should My Agency Approach Zero Trust?
Even within the Federal Government each agency has unique needs and there is no ‘one-size-fits-all’ approach. The key is in approaching adoption of a Zero Trust posture is to lead with one of three foundational approaches:
- People first – focus on identity management
- Resources first – segmenting groups of resources using network devices
- Network first – leveraging technologies like SDN
All three will play a role in your approach, but leading with one will give focus and accelerate your journey. We’ll be sharing more details about our recommended approach in future posts. Also, when planning your evolution to Zero Trust, consider the following:
- Look to the private industry for guidance. Companies such as Microsoft have implemented Zero Trust models and have shared much detail about their approach.
- A comprehensive Zero Trust solution requires multiple vendors and technologies, so be prepared to bring together multiple vendors for your unique environment or work with someone who can pull them together for you.
Is Zero Trust the Answer?
As I noted it’s not a silver-bullet to the government’s cybersecurity challenges. However, it’s a positive step forward in the world’s current cybersecurity landscape and a key pillar of any world-class cybersecurity program. As we continue to develop our services and offerings, we continue to contemplate how a Zero Trust posture impacts our approach and the agencies we serve.