This post is also available in: 日本語 (Japanese)
We define Zero Trust as a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Boiled down, Zero Trust simplifies risk management to a single use case: the removal of all implicit trust for users, applications and infrastructure. It’s a way for government agencies and other organizations to build resilience into their IT networks and environments.
Nearly a year after President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, many federal agencies are making significant progress on their Zero Trust journey. The great news is that agencies are further along with Zero Trust than most people assume. More than 70% of federal agencies are aggressively adopting Zero Trust principles. Some are well-positioned to accelerate their efforts because of investments in digital transformation, which include rebuilding and improving their security approach. But, even these federal agencies are feeling more pressure to speed their Zero Trust journey, following the January release of the federal Zero Trust architecture strategy from the U.S. Office of Management and Budget, which outlines aggressive implementation deadlines.
As the federal government increases its focus on Zero Trust, there are some core Zero Trust tenets that will be helpful for agency IT leaders to understand:
- Adopting a Zero Trust Approach Is a Continuous Journey – It is not a one-time implementation. I like to say that Zero Trust is an operational philosophy requiring a change in mindset – a fundamental shift in how we design, implement and maintain cybersecurity postures.
- Building a Comprehensive Zero Trust Plan Is Paramount – Focusing on a specific product or a narrow technology does not equal Zero Trust. Zero Trust must be an end-to-end approach encompassing the entire IT ecosystem of controls – network, endpoints, cloud, applications, Internet of Things devices, identity and more.
- Understanding that ZTNA Is Only a Component of Zero Trust – The terms Zero Trust Network Access (ZTNA) and Zero Trust are not interchangeable. It’s actually a very common misnomer. ZTNA applies specifically to remote users accessing company applications and services, and is an element of the bigger Zero Trust story. While ZTNA is extremely important (especially within the reality of a new, hybrid workforce) just implementing ZTNA is not enough.
Ultimately, Zero Trust isn’t a flip-the-switch effort to enhance cybersecurity. It will take time. And as I mentioned above, it’s a continuous journey. While some agencies are moving well along with Zero Trust initiatives, others are struggling with how to get started. ZTNA actually offers a logical starting point into a broader Zero Trust strategy. But, the good news is that your agency can start implementing the Zero Trust process anywhere. You can use existing tools and capabilities to establish a starting line. For those in early stages, there are some factors to consider to help ensure a successful outcome.
Like every journey, Zero Trust requires a map or plan of action in order to move forward effectively. My advice: don’t attempt to boil the ocean. Where you start will vary from one agency to the next. Deciding that depends on assessing how Zero Trust can be applied relative to your current environment. Think carefully about your focus areas and prioritize them. Review the different federal specifications that are available, such as NIST, CISA and DOD, and select what will best support your organization’s goals.
Taking on Zero Trust does not mean starting from scratch with your infrastructure. Conduct a rationalization of existing IT investments. Decide what your organization is actually using, what is working, what could be reconfigured or redeployed, and what new investments are truly needed. If you decide to start in an area that requires a new investment, identify funding programs or vehicles that can help fast-track the effort. Be sure to assess current security capabilities and whether they are used as effectively as possible. Consider which can be leveraged toward applying Zero Trust best practices quickly.
Support from the top down is important for moving forward efficiently with Zero Trust. As mentioned previously, this often requires a mindset shift among leadership. Proactive, substantive conversations on the plan and its goals must occur, with the CISO included at the head table to engage in discussions and direction. This dialogue can also help move the cybersecurity budget from insufficient to appropriate.
Approach the plan holistically, aligning with a board, CIO or both, as well as driving a broader Zero Trust culture across your agency. Consider creating a Zero Trust center of excellence, and assign a chief Zero Trust architect to champion the process.
Remember you have an opportunity to rebuild security properly. A solid plan will help avoid getting overburdened by the complexity of too many security controls. Focus on having fewer tools that leverage automation for maximum resource efficiency.
Achieving Zero Trust requires determining what your organization needs to reduce acute risk and achieve resilience. Many organizations start with identity mechanisms like multifactor authentication, applying least-privilege access or ZTNA. Again, approach this incrementally; develop a roadmap and align it to your chosen maturity model. As you implement additional Zero Trust capabilities, help support your agency’s transformation by maximizing the potency of new and existing investments to ensure the best possible security outcomes.
Adding metrics to your plan will also help keep it actionable and on track. Set goals for securing users, applications and infrastructure across the full spectrum of touch points, such as authenticating identity, verifying device and workload integrity, enforcing least-privilege access and scanning all transactions for legitimacy.
With these fundamentals in place, you can confidently begin your Zero Trust journey. Will it be easy to adopt? No, but getting started shouldn't be hard. Having well-defined Zero Trust tenets and requirements will help set a common expectation of what needs to be achieved to be secure, at least making the path of a challenging journey clear.
Zero Trust represents a fundamental change in how all of us will design, implement and maintain cybersecurity postures for the long term. Success will require a solid, methodical plan, strong organizational support and true partnership between government and industry to get us there.
Be sure to follow the Public Sector LinkedIn page for more articles like this.