Insight by Akamai

Zero trust pushes agencies away from an outdated approach to cybersecurity

Zero Trust Definition and Benefits

Zero trust is the idea of trusting no one, no device and no application. It also requires authenticating and authorizing absolutely everyone independent of where they are and what device they have.

Implementing Zero Trust

Zero trust also tends to eliminate massive complex equipment that is required in an intensive security architecture

Federal Chief Information Officer Suzette Kent has mentioned several times over the last year about a new zero trust pilot kicking off sometime in the near future.

What it entails and how it will work, is unclear. But the growth of this concept of creating a network that trusts no one and requires every user to be authenticated is real.

The idea of zero trust networks dates back to concepts first detailed when public key infrastructures (PKI), common access cards (CACs) and personal identity verification (PIV) cards came into the federal market almost 20 years ago.

The whole idea was to have one authoritative source of an employee’s identity that is connected to specific roles and responsibilities when it comes to applications and data.

Zero trust now means a lot more than just identity. It’s a way to move perimeter defenses out to the edge or to the person versus just to the network.

With the ever-growing list of devices connected to your agency’s network, the emergence of operational technology (OT), not just information technology (IT) as a cyber threat, and wide acceptance of cloud computing, enabling a zero trust network is not only possible, but absolutely necessary.

Randy Wood, vice president of U.S. public sector sales for Akamai, said zero trust is not a new idea, but one that is about five years old. It promotes the simple concept that trust is not an attribute of location, and just because an employee is trusted inside perimeter, it doesn’t mean he or she should be granted access to all the information.

“We are operating under an outdated paradigm that the network and perimeter have traditionally defined the boundaries of security. But we know the way the government is working today in a cloud, hybrid and on-premise fashion, that model doesn’t work,” Wood said on the Innovation in Government show. “Zero trust is the idea of trusting no one, no device and no application. It also requires authenticating and authorizing absolutely everyone independent of where they are and what device they have.”

So with that in mind, Wood said agencies have to rethink how they architect systems and the importance of applications.

“Applications are the lifeblood of an organization so what comes to the surface in this new paradigm is authentication on an application-by-application basis, which is different than how we previously operated,” he said. “The first step is for agencies to admit that the way we have been doing cybersecurity is not the right way anymore. That will be a huge admission for anyone.”

Wood said it shouldn’t be too hard for any agency or organization to make that admission as threats continue to increase and breaches keep happening at an alarming rate.

He said as agencies move to the cloud adopting a zero trust architecture becomes easier because applications are not residing in a traditional data center. Wood said adding identity and access management tools is easier.

“Zero trust also tends to eliminate massive complex equipment that is required in an intensive security architecture,” Wood said. “And finally, the time to understand a breach is much less because the architecture can provide a lot more insights around tracking applications by user and what’s occurring throughout the entire security posture.”

Wood said for agencies who want to implement a zero trust framework, the first thing they should consider is getting a third-party assessment of their network and applications to determine how they currently match with the principles of zero trust.

“Second, as agencies  create modern applications–, be mindful of web and cloud application development and minimize the amount of technical debt you create by not using a modern application approach,” he said. “And finally, target the low hanging fruit. Are there current web and cloud applications that can be migrated into a zero trust model?”

Wood said there are a lot of ways for agencies to create a pilot to test out the concepts of zero trust, while doing no harm. He said agencies must keep the user experience both top of mind and at a high quality otherwise adoption becomes too hard.

 

About Akamai: 

Akamai secures and delivers digital experiences for the world’s largest companies and government agencies. Our intelligent edge platform surrounds everything, from the enterprise to the cloud, keeping apps and experiences closer to users than anyone — and threats far away.

 

Resource Center:

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.