Operationalizing zero trust: Three immediate opportunities for federal agencies

Zero trust is driving the security conversation today across both the public and private sectors. Within government, it’s a top priority as evidenced by the directives, mandates and policies that have been issued by the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Security Agency, the Office of Management and Budget, and other government agencies. The push to adopt zero trust security principles is critical. Government agencies must “trust no one and verify always” and employ this as the default operating model to defend against threat actors who are continuously after government networks. However, achieving higher levels of maturity with zero trust can be challenging, especially as agencies face the realities of technical debt, limited resources, integration and operational challenges. Furthermore, there are barriers to accessing private sector innovation and it’s proven difficult to know which technologies to prioritize in the first place. Nonetheless, there are significant opportunities for government agencies to fast-track operationalizing zero trust by following three key principles. 

Consolidate security tools for operational efficiencies

The tectonic shift to remote and hybrid work that dissolved the traditional security perimeter has led to innovation in the industry and a reevaluation of agencies’ IT infrastructure and operations. For example, new paradigms for remote access and remote work, enabled by highly scalable, distributed cloud technologies (e.g. modern identity management-as-a-service platforms, zero trust network access, etc.) has paved the way for agencies to decommission legacy on-premises infrastructure at a faster pace. These new platforms that enable operational efficiencies also introduced security risks and challenges that must be accounted for.  

These new innovations accelerate adoption of a zero trust security model. Agencies can pursue consolidation to achieve cost efficiencies through reduction of IT spend and to improve overall cybersecurity risk posture. Security consolidation is an effective way to start operationalizing zero trust in any organization. 

First, agencies must perform an assessment of the current state of cybersecurity tools. This tools rationalization effort provides agencies with a baseline of cybersecurity capabilities and gaps.  

Identify critical services and high value assets that are essential for the agencies to protect and use this information to define the protected surface area. These security boundaries inform the security controls. Identify the tools that are integral to providing security services to protect these assets. Use security frameworks such as NIST’s cybersecurity framework to evaluate and mitigate cybersecurity risks.  

As tools reach their end of usefulness or as new, innovative solutions become available, evaluate these opportunities with an eye towards security consolidation. It’s not uncommon for agencies to underutilize existing tools. To close security gaps, agencies deploy additional tools into the environment – not fully aware of the functional capabilities of their existing tools – which leads to inefficiencies and operational complexity. Technology vendors that provide security platforms often provide additional functionality above and beyond the typical functions that agencies use the tool for. 

A comprehensive assessment of the IT environment and security solutions is essential. Trusted partners that understand the ecosystem of cybersecurity tools, the full breadth of capabilities, and how each tool can reach optimal maturity in zero trust can help agencies in this initial stage of operationalizing zero trust. Partners that have engineering expertise to test and validate the integrations among security tools are especially valuable. Through this assessment, teams will be able to identify key inefficiencies, and by consolidating, they’ll be able to stretch their resources much further while simultaneously achieving better security outcomes.  

Use cloud and platform technologies as a strategic enabler

Technology vendors that provide security platforms often provide additional functionality above and beyond the typical functions that agencies use the tool for. As we see a shift towards “platforms” resulting from cloud services and vendor consolidation, we see an opportunity for agencies to use this macro trend as a strategic enabler to accelerate modernization and zero trust objectives. As enterprise strategy is driving more agencies to shift more workloads to the cloud and consume more cloud-native services, aligning zero trust initiatives to this strategy can result in operational and technology efficiencies. Operationally, this improves cyber defenses and overall risk posture. 

As agencies consider technologies, technical architectures and design patterns that enable zero trust security, it is critical to approach this with interoperability in mind. A good example of a consolidated cloud platform that enables secure access is secure access service edge (SASE) technology. With distributed point of presence, SASE providers can measure end user experience to ensure that the optimal network routes are used in order to avoid network latency which can result in poor user experience. Furthermore, SASE improves agencies’ network and cloud security posture. Network security, threat protection, posture management and data protection are just a few capabilities that modern SASE platforms deliver as a cloud service, helping agencies meet modernization and cloud migration objectives. 

Design with zero trust security and interoperability in mind

CISA, NSA and the Defense Department each have released their respective versions of zero trust security frameworks and maturity models. These documents provide a roadmap for agencies to follow, which makes prioritizing activities easier. For instance, in the CISA Zero Trust Maturity Model, by 2024 agencies are expected to implement phishing resistant multi-factor authentication (MFA) and utilize both identity and device signals as part of authentication. The DoD zero trust strategy provides similar guidance that extends through 2027. 

As agencies start with their zero trust implementations, it is important to approach design decisions – whether it’s focused on a particular zero trust pillar or a more horizontal capability that applies to all pillars – with both security and interoperability in mind. 

One of the benefits of cloud migration is that cloud service providers (CSP) follow generally accepted security best practices (e.g. the principle of least privileged access). As agencies shift workloads to the cloud, they benefit from the inherent security that CSPs offer natively. Cloud also offers more programmatic access to its services, thus making it easier to design interoperability and security. As agencies modernize applications using cloud-native services and modern design principles, agencies can take advantage of the benefits of cloud services. CISA and its partners offer extensive guidance on secure-by-design and secure-by-default principles, which are updated regularly. In its most recent whitepaper, CISA outlines a number of best practices and secure-by-default tactics including eliminating default passwords, mandating MFA, implementing single sign-on (SSO) and secure audit logging. These tactics and others described by CISA are critical for making design decisions that align with zero trust.  

Zero trust includes the ability to evolve

Zero trust is a fundamental principle underpinning all security decisions more than it is any specific set of technologies or products. Of course, the solutions an organization uses to establish a zero trust posture are very important, but as technologies evolve and the attack surface expands, organizations must be able to adapt. The federal government is often associated with an aircraft carrier because of the energy, effort and time it takes for it to change directions. And so, while it’s encouraging to see directives from OMB, CISA, and others, agencies will need to take the initiative to operationalize their zero trust programs efficiently and effectively. By engaging with partners that have deep knowledge of the government technology and innovation landscape, organizations can identify which solutions they can access and how, then develop or adjust their zero trust journey accordingly. 

Miguel Sian is senior vice president of technology at Merlin Cyber. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.