It’s been almost two years since President Joe Biden launched the federal government’s transition to a more modern and robust cybersecurity posture. His May 2021 executive order — Improving the Nation’s Cybersecurity — calls on agencies to pivot from conventional, perimeter-based cyber defense architectures to a more holistic, multi-layered, dynamic approach known as a zero trust architecture (ZTA).
Although almost two years have passed since Biden’s order, the government’s transition to ZTA remains in its nascent stages. Most agencies are still gathering needed data, consulting with experts, surveying various implementation models and deciding what’s right for them, including whether it even makes sense to adopt an enterprise approach to ZTA.
That’s because there are no quick pathways, no out-of-the-box solutions that deliver zero trust. Zero trust is a security framework that treats all networks and traffic as potential threats and requires all users, both inside and outside the organization’s network, to be authenticated, authorized and continuously validated as harmless before being given access to applications and data. Zero trust assumes there is no traditional network edge — networks can be local, in the cloud or a hybrid of both with resources and end users potentially in any location.
Rather than a particular solution or collection of technologies, zero trust is typically defined as a set of principles or desired outcomes. And while there is considerable variance in terms of how different guiding documents address ZTA, it’s important to understand that they share many common themes and ideas. One of these common themes is the imperative for agencies to develop extensive visibility into their IT estates.
It’s important to note that ZTA implementations will look vastly different from one agency to the next, depending on each agency’s size, mission set, IT landscape, information flows, organizational culture and numerous other factors — something I learned firsthand while I was in government conducting zero trust pilots at my own department.
So how should agency leaders proceed on their ZTA journeys? I suggest five steps:
1) First, form a team of people with the right mix of qualifications tasked with conceptualizing and building the implementation plan. The qualifications needed will vary with each agency and its particular set up circumstances.
2) Then, get your house in order. This means understand well your agency’s workflows and data application services. This is easier said than done because, in many cases, people don’t have the right tools for delivering the degree of visibility they will need. Also, do your research. Learn how other agencies or organizations with similar missions, IT architectures and information flows have approached ZTA and learn from their successes and failures.
3) Choose your technology. As the Office of Management and Budget’s federal ZTA strategy puts it, “a necessary foundation for any enterprisewide zero trust architecture is a complete understanding of the devices, users and systems interacting within an organization. For most enterprises, creating and maintaining a complete inventory over time requires tools that can support the dynamic discovery and cataloging of assets.” I suggest considering technologies that can:
Deliver thorough, accurate visibility into all devices, networks, applications, workloads and clouds.
Contribute toward developing a real-time situational awareness and understanding of everything on the network, whether that network is based in an agency data center, a cloud or across multiple clouds. This situational awareness should be continuously monitored and include knowing what the network is doing at all times, how its IT assets are configured, and what and where are the vulnerabilities across that network. This takes on added importance in today’s post-COVID era when federal workforces are operating more remotely and often relying on their own devices and networks as they work.
Validate and enrich IT inventories with comprehensive, up-to-date information on those IT assets so the situational awareness of an agency’s cyber attack surface is complete, current, trusted and actionable.
4) Launch something. Find a good proving ground within your agency to begin your efforts. Set goals and objectives and measure performance carefully along the way to develop baselines, set realistic objectives and identify areas needing more attention.
5) Finally, with lessons learned in hand, take your ZTA to new levels by adapting it to new use cases and larger-scale implementations, making needed adjustments along the way.
Every federal agency will forge its own unique path to zero trust. But there are a few important common elements of zero trust that every agency will need to start with. One of the most foundational of those is the need to gain complete visibility across an agency’s IT estate. Because, after all, you can’t defend against what you can’t see.