This zero trust starter guide, explained by Public Sector Solution Executive Wes Withrow, can help you identify what’s done, what’s not and how to develop a...
One of the best moments in the early stages of working on a zero trust framework with agencies is when the organization realizes that it likely has untapped security capabilities it can use to eliminate implicit trust and require verification before allowing a digital interaction to continue.
In fact, “I have not run into an agency that has not been in that situation,” says Wes Withrow, Public Sector Solution Executive at Verizon.
He recalled doing a Zero Trust Architecture (ZTA) assessment for a federal agency, not long after the Office of Management and Budget (OMB) released its Zero Trust Strategy in 2021. At the outset of the assessment, the agency acknowledged they were in the early stages of adopting zero trust while trying to comply with the latest Trusted Internet Connections 3.0 (TIC 3.0) guidance.
“When we went into the agency to complete the assessment, they thought they were going to be overwhelmed with gaps,” Withrow said. “By the time we were done, they were like, ‘Well, we’re actually not in terrible shape.’ ”
Although there are generally improvements that are needed, moving to zero trust is not about starting over, he said.
“Zero Trust is a vision that guides your strategy and execution, not a product that you buy off-the-shelf. There’s not a single product that completely addresses all of zero trust,” Withrow said. “You’re stitching together multiple solutions, stakeholders, and partners to develop a Zero Trust Architecture (ZTA).” From a strategy perspective, developing a Zero Trust Architecture (ZTA) is really just the playbook to help an agency move from vision to execution, he said.
Withrow offered a five-step approach that Verizon recommends to help agencies as they make their first forays into developing that playbook.
The first step, which is the most critical, is to map out the agency’s current mode of operation (CMO) to a Zero Trust Architecture Capability Model he said. Verizon has developed a ZTA Capability Model that maps forty-eight (48) core capabilities under eight (8) pillars; a model derived from industry feedback and the capability models and reference architectures released by the Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense (DOD), National Institute of Standards and Technology (NIST), and Office of Management and Budget (OMB).
Source: Verizon
Withrow suggests not overanalyzing when conducting the mapping exercise. He recommended identifying a cross-discipline team of no more than five to seven people and giving them one hour to color code the core capabilities green (met), yellow (partially met) and red (not met). “You can spend days or years, right? Just do it in one hour to get the ideas and concepts in-flight,” he said.
Next, inventory the agency’s current cybersecurity solutions, processes, and infrastructure to determine if there are capabilities that have been purchased and not implemented or partially implemented.
“Almost every customer we’re working with has purchased solutions with capabilities that have not been fully implemented. In most cases, enabling these capabilities is the quickest and most effective way to make progress.” Withrow said.
What is sometimes found when performing assessments is that after Step 2, agencies typically can improve their coverage of the zero trust core capabilities by 10% or more.
As agencies modernize legacy technology will be phased out, typically resulting in the displacement of assets like hardware. Determining the financial impact of displacing assets requires additional stakeholders. At this phase, it’s time to bring in the finance team, Withrow said.
“When agencies modernize they are migrating to software-defined solutions instead of hardware-based platforms. Prior to the migration, agencies are identifying hardware assets that will be displaced,” he said. For example, when adopting Secure Access Service Edge (SASE) solutions, agencies will displace legacy hardware like web proxies, Virtual Private Network (VPN) concentrators, and some of their on-premise firewalls.
Once the displaced assets have been identified, an agency’s finance team can help determine value of those assets based on their depreciated value. The information from the finance team, coupled with the new zero trust capabilities from the new solution, can be used to support the business case.
When meeting with agencies about zero trust, Withrow said often times they want to immediately procure and implement a new technology, layering that technology on a pre-existing technology stack that can be displaced. But his recommendation is to complete the mapping of the current zero trust capabilities, perform an Analysis of Alternatives (AoA) of three (3) feasible solutions, and build the business case prior to procurement and implementation.
Using Secure Access Service Edge (SASE) as an example, Withrow recommends completing the mapping of the agency’s current capabilities to a zero trust capability model, and then provide that mapping to three (3) SASE solution providers to help identify if their solution can solve for the unmet zero trust needs of the agency. Agencies typically identify during the AoA that SASE solutions meet about 80% of the core capabilities in Verizon’s Zero Trust Architecture Capability Model.
“We’ll help you with the analyses,” he said. “We can perform the zero trust architecture assessment, develop your use cases, complete the Analysis of Alternatives (AoA), and then walk through with you what you need to understand about the solutions when evaluating them.”
The final step, which can be performed in parallel with Step 4, is completing a proof of concept (POC) that addresses the agency’s top five (5) use cases.
“Since most solutions are now cloud native, you can spin these up in the cloud environments and complete the POC quickly, oftentimes at no cost.” Withrow said. “If things go well, then you can just essentially flip the switch to take it from the POC environment into a production environment. That way, you’re able to reduce or eliminate the cost and complexity typically required during the implementation period as well.”
With these five steps, an agency can develop its playbook and actively begin moving to implementation, he said.
“If there was anything to take away from what we’ve learned, it’s that agencies are further along than they realize, and that agencies understand they’re in the early stages of adopting zero trust.,” Withrow said. “You can build a zero trust architecture, but the actual implementation of a zero trust strategy and applying that as your security model, that’s never-ending. It doesn’t have an endpoint.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.