By Lisa Lorenzin, Director of Emerging Technology Solutions, Zscaler
As federal agencies deploy mobile-friendly, cloud-based infrastructures, cyber threats are also evolving to prey on vulnerabilities in these new environments. Agencies need to take a proactive approach to stay a step ahead and keep data safe, regardless of location and device.
To combat these threats, and take advantage of the TIC 3.0 guidance, federal IT leaders are turning to zero trust security models. The concept evolved in the private sector, as federal agencies have been slower to explore zero trust models due to a combination of factors, such as perceived liability, resistance to change, regulatory and certification requirements, data classification, and the need to work across multiple functional areas.
When choosing a zero trust solution, agencies need to balance access/productivity/performance and security concerns—at the same time, they need to future-proof their environments. The question is, “Can zero trust solve today’s and tomorrow’s challenges while meeting federal security guidelines?”
Defining Zero Trust
Zero trusts is a bit of a misnomer—the true goal is actually to establish and maintain trust, so we can enable users to access the resources they need to support their missions. We start off by not implicitly trusting anyone, then figure out who we can trust, how we know we can trust them, and what we trust them to access.
The initial intent of zero trusts was to help control on-premises user access to internal applications. Today, the same concept applies to users accessing private applications in externally hosted environments. Federal IT leaders should think of zero trusts as “context-based trust.” It is not a matter of whether the user is on or off the network, or the application is internal or external, but whether the user is authorized to access the application.
Federal IT leaders will need to ask themselves several questions when considering zero trust adoption: “What will this solution look like? How do we scale it? How do we get access to resources through it? How do we get the visibility we need? How do I meet the Trusted Internet Connection (TIC) mandate if the solution is cloud-based? Is my provider FedRAMP authorized?”
A Phased Approach
As agencies develop zero trust solutions, they need to consider how to integrate them with their current architecture and security controls. Agencies need solutions that provide seamless access for the user and full visibility and control for the backend administrators, regardless of the device or the user’s location.
Many federal agencies already have elements of zero trust in their infrastructure and should not require significant new technology acquisitions. Endpoint management, Continuous Diagnostics, and Mitigation (CDM), software-defined networking, micro-segmentation, and cloud monitoring are components of zero trust that may be in place.
Federal IT leaders should take a phased approach to simplify solutions into relevant use cases that advance mission goals. To support this approach, they should make two initial determinations. First, identify the most significant pain points or areas of vulnerability. Second, choose one of those challenges and identify an affected user community as well as the resources they need to access.
“You have to understand the importance of your data and how you access it,” said Jeffrey Flick, Acting Director, Enterprise Network Program Office, National Oceanic, and Atmospheric Administration, at an ACT-IAC zero trust panel on May 2019. “This goes back to your mission, and everybody has different kinds of missions, so zero-trust implementations will need to be very scalable.”
Once both are specifically identified and tightly scoped, agencies can run a pilot. Agencies don’t have to buy a set of appliances, rack and stack them, load-balance and protect them, and so on—instead they can sign up for an initial subscription in a cloud-based, scalable solution. If successful, agencies will have a better understanding of the potential benefits of expanding deployment across the organization. Zero trust adoption should be a journey focusing on short-term accomplishments toward long-term goals.
One fundamental truth across public and private sectors is that people fear change—and implementing zero-trust requires a “whole-of-agency” effort. Since zero trust solutions are new to government, implementations shouldn’t be strictly driven by IT; they should be a mission-driven effort.
Zero trusts by nature impact program security, risks, and performance. To assess the risk of adopting zero trust technologies, agencies should consult an internal expert with enough technical background and policy awareness to assess possible solutions and understand the potential benefits of zero trust technologies. Through collaboration, program and IT leaders can design and implement zero-trust together to ensure success and compliance with policies such as FedRAMP, TIC, and FISMA.
One key question to consider before adopting zero trusts is who to choose as your partners. Industry partners need to understand an agency’s unique needs and risk profile—there is no one-size-fits-all solution.
The federal government is better positioned now than ever to adopt zero trusts. And implementing zero trusts has many benefits beyond improved cybersecurity, including seamless user experience, better performance, lower cost, and consistent control and visibility regardless of user and application location.
To learn more, read the ACT-IAC Zero Trust White Paper. It provides key concepts, recommended steps, information on required federal certifications, and lessons learned working within federal environments, as well as details on pilot programs—putting you on the path to successful implementation.
About the Author
Lisa Lorenzin is Director of Emerging Technology Solutions for the Americas at Zscaler, specializing in secure access to private applications and a contributor to open standards for endpoint integrity and security automation from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). She’s worked in a variety of Internet-related roles since 1994, with over 20 years of focus on network and information security, and is currently concentrating on zero trust networks, software-defined perimeter solutions, and seamless user experience across cloud and mobile environments. Lisa can be reached via email at firstname.lastname@example.org or on LinkedIn at https://www.linkedin.com/in/lisalorenzin. You can read other articles by Lisa on the Zscaler website: https://www.zscaler.com/.