Insights by Appgate

Zero trust is both a journey and an end state

 

Zero trust requires that organizations have a strong identity system, and a clear picture of the types of resources that users need to access.

 

From a throughput and performance perspective, a zero trust system should absolutely provide better user experience than the virtual private network.

Zero trust is the cybersecurity goal federal agencies have for their networks and data. It’s a policy requirement, and it’s an industry best practice. But zero trust is not something you buy, download and install.

Rather, it’s the result of a set of policies and practices undergirded by some enabling technologies.

“Zero trust is really a security philosophy and approach that’s built on a few core principles,” said Jason Garbis, the chief product officer for Appgate.

“Number one, ensuring that all access for all users is secured and managed and driven by a set of dynamic and context sensitive access policies,” he added.

To achieve a state of zero trust, Garbis said, you also need a strong identity system, and a thorough inventory of applications, data and any other assets to which users may need access.

Getting to zero trust requires a strong architectural approach, and a careful integration of zero trust components with an agency’s existing IT infrastructure. This is where standards, like LDAP, SAML and OpenID connect come into play, Garbis said.

All networked systems have a repository – whether on premises or in the cloud – of users and their permissions. Typically this is a database like Active Directory. The zero trust approach builds on this capability. For example, an agency might want to take a more fine-grained approach to who can access what, even within a given function like procurement for finance.

“That’s one of the reasons that we often talk about a zero trust journey,” Garbis said. “Organizations, as they get these capabilities in place, want and need to start to enforce finer and finer grain policy.”

A properly tuned zero trust system also aids an agency’s operations and network monitoring that’s so crucial to detecting and mitigating anomalies that indicate a threat.

“Security and network operation centers have is signal to noise ratio,” Garbis said. “A lot of what zero trust does is, by enforcing the principle of least privilege and restricting users network access to the absolute minimum, it makes it so that there’s very little noise on the network.” Therefore “if active, unexpected activity or attempted unexpected activity happens, that’s a pretty clear signal that something malicious has happened, and it should be investigated.”

Garbis gives the federal government high marks for how it has responded to the Executive Order on Cybersecurity on a couple of fronts. One is the development of federal standards and reference architectures on both the Defense and civilian sides. Another is taking users into account, lest highly sensitive security setups drive users crazy.

To users, Garbis said, zero trust is “ideally transparent …The experience should be I turn on my device. I probably authenticate to something. And then I just do my work.”

Listen to the full show:

Featured speakers

  • Jason Garbis

    Chief Product Officer, Appgate

  • Tom Temin

    Host, The Federal Drive, Federal News Network