Ever since the Biden administration’s 2021 cybersecurity executive order, federal agencies have been on the clock to onboard zero trust architectures (ZTA) into their information technology environments.
The most recent deadline is two years away. A January 2022 Office of Management and Budget guidance is asking agencies to comply with the five pillars of the Cybersecurity and Infrastructure Security Agency’s zero trust model by September 2024.
While this request may seem daunting, ZTA deployment does not have to be an arduous migration of talent, technology and resources. Federal leaders can start with targeted approaches that tackle each aspect of zero trust, such as endpoint risk posture or internet access, to better mitigate against evolving cyber threats and gain visibility and controls over their networks.
There are several small steps agencies can take to lay the foundation for zero trust. Most notably, deploying solutions to monitor users and endpoints.
Security Service Edge (SSE), a framework that converges critical security capabilities, provides a blueprint of the types of cloud-delivered solutions required for zero trust. Each product addresses a piece of the puzzle to ensure sensitive data is protected while enabling productivity.
Securing endpoints and web usage
One component of SSE is mobile endpoint security. Agencies already maintain government-issued device inventories with management tools, but these products only provide passive capabilities to update. To provide access that doesn’t add risk and to detect and respond to modern threats, agencies need to continuously monitor the risk level of those endpoints, whether it’s the device’s operating system, apps installed or the network they’re connected to.
The adjacent capability an organization needs for zero trust is to protect against web-based threats. This is where secure web gateway (SWG) comes in, monitoring internet traffic to ensure malicious content doesn’t enter your networks. Many of these attacks are now targeting mobile endpoints as users increasingly rely on these devices for both work and life.
While low risk endpoints should be given access too, that connection does not need to be network wide. Their risk levels fluctuate constantly, which means access needs to be dynamic. By establishing controls to limit availability by user identity and device, enterprises can subdivide their network with a process called micro-segmentation.
Micro-segmenting means that, even when a device and user is cleared for access, its connection to apps and data will be restricted. So in the event of an insider threat, compromised account, or an accidental risky action, the damage is limited.
SSE technologies leverage context-based telemetries such as user authentication, device, location, time of day and the requesting device’s risk posture. With this visibility, agencies can build policies that dynamically enforce policies based on those various factors.
Protecting data no matter where it resides
To ensure your data is secure while enabling telework, agencies need the ability to secure activities to all apps, whether they’re in the cloud or on premises. SSE technologies like SWG, cloud access security broker (CASB) and zero trust network access (ZTNA) serves as a security guard between the user and what they need to access, either by monitoring for malware, user and endpoint risk postures, logging user actions, enforcing security controls and more.
SSE becomes especially relevant as more agencies pursue multi-cloud environments. With IT environments varying based on technology and resources, agency leaders will have to assess their systems to determine which zero trust tools best fit their operations. Regardless, leaders need to ensure that the security platform they use considers the risk levels of users and their endpoints, and what types of data they need access to.
In addition to visibility and control, cybersecurity has been challenged by complexity as cloud apps and telework became the norm. To ensure your data is secure without adding extra operational burden, it’s critical that agencies look for SSE solutions that have a single policy engine.
Not only does a unified platform streamline operations for your security administrators, it makes secure access more efficient, so that workers can seamlessly connect to what they need, whether it’s in the cloud, inside data centers or on the internet.
By converging security capabilities, SSE protects data without hindering productivity — exactly what ZTA sets out to do. 2024 is closer than it seems. I recommend agencies explore the different components of SSE and find a platform that can protect data no matter where their users reside.