Not long ago, federal agencies were wondering how and where to start on their Zero Trust journey. Now, we see many agencies well on their way and looking to accelerate their approach to meet the aggressive M-22-09 implementation deadlines. More importantly, we are hearing from agency IT leaders who are seeking guidance on the best next steps to take with Zero Trust implementation, now that their organization’s journey is underway.
We have three recommendations for federal agencies ready to move beyond the getting-started phase and toward full implementation with Zero Trust. These suggested next steps are based on our experience to date, helping agencies and departments in the federal government, as well as our own company, evolve into Zero Trust enterprises:
1. Make the Move to ZTNA 2.0 for Secure Remote Access
Many federal agencies are finding their initial on-ramp to Zero Trust by implementing Zero Trust Network Access (ZTNA) for their remote and hybrid teams. ZTNA is a category of technologies that provides secure remote access to applications and services based on defined access control policies, and it offers a much better user experience than a virtual private network (VPN).
However, as explained in a previous blog, ZTNA is only a component of Zero Trust. And, while first-generation ZTNA solutions have helped agencies to modernize their access infrastructure, they have serious limitations. The key issue is that once a user passes the initial authentication hurdle of a first-gen ZTNA solution, they’re essentially free to roam anywhere inside an organization’s network.
ZTNA’s shortcomings inspired Palo Alto Networks to pioneer ZTNA 2.0. This next-generation ZTNA solution addresses the deficiencies of traditional ZTNA approaches by connecting all users and apps with fine-grained access controls and providing behavior-based continuous trust verification after users connect. ZTNA 2.0 helps reduce the attack surface significantly while making the transition to a broader Zero Trust architecture easier.
ZTNA 2.0 also aligns well with federal government-related programs:
Palo Alto Networks also recently announced that Prisma Access and our Cortex Data Lake are now fully compatible with CISA's Cloud Log Aggregation Warehouse – aka CLAW. That means departments and agencies using Cortex Data Lake can participate in EINSTEIN by sending logs and telemetry securely to CLAW.
2. Embrace an Ecosystem Approach to Zero Trust
There’s a lot of buzz in the marketplace from vendors promising that they’re a one-stop shop for all things Zero Trust. But, the reality is that no one company can do it all. By embracing an ecosystem approach, agencies can work with Palo Alto Networks to get what they need to enable Zero Trust through integrations with technology partners. For example, we don’t provide identity and access management (IAM), which is a critical component of a comprehensive Zero Trust strategy. However, we do deliver IAM capabilities through our integrations with leading providers that have the required federal compliance and certifications.
Our Cloud Identity Engine is also designed to work with leading identity providers to help organizations easily authenticate and authorize their users across enterprise networks, clouds and applications, irrespective of where their identity stores live.
3. Leverage Automation to Manage Zero Trust Effectively
Working with a tightly knit ecosystem of partners to enable a Zero Trust strategy can also help you to consolidate your agency’s security tech stack significantly. But, you’ll still need a way to unify analytics and responses. A platform and automation approach is the answer.
At Palo Alto Networks, we’ve used our own Zero Trust journey as an opportunity to consolidate tools and automate security. Our CISO, Niall Browne, wrote about our experience earlier this year. He explained that using Palo Alto Networks Cortex XDR and our Cortex XSOAR platform dramatically reduces the number of daily security alerts that our security operations center (SOC) team needs to handle – from 17 billion events to 467 alerts, to just 67 incidents requiring analysis on average. XSOAR automatically remediates 58 of those alerts, while the remaining nine are enriched with additional data and then triaged by SOC analysts. Again, that’s 17 billion down to just nine.
Browne says, “We couldn’t secure our own company effectively and move toward a true Zero Trust architecture without a comprehensive security orchestration, automation and response (SOAR) platform. Federal agencies that are much larger and more complex than our company will need to do the same for their organization to be able to manage security operations effectively. There is no other choice but to transform the SOC through automation”
While the benefits of SOAR are clear, it is commonly viewed as “nice to have” (even though a shift to SOAR is a vital step toward agencies meeting the mandate for Zero Trust). The Biden administration’s Executive Order on Improving the Nation’s Cybersecurity clearly states, “Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment.” Additionally, the Defense Information Systems Agency (DISA) Zero Trust Reference Architecture, as well as the Department of Homeland Security CISA Zero Trust Maturity Model, have detailed requirements specifically for SOAR.
The recommendations outlined above can help federal agencies and departments advance their Zero Trust journey. No matter how far your organization has progressed with Zero Trust, our Professional Services team can help you meet your goals, including simplifying operations through automation and improving processes.
To find out where you are on the road to Zero Trust, complete this short assessment for a personalized report. Or, contact our federal team to request a meeting.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.