The National Institute of Standards and Technology (NIST) Special Publication 800-207 offers the following definitions of Zero Trust and Zero Trust Architecture (ZTA):
Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
ZTA is an enterprise’s cybersecurity plan that uses Zero Trust concepts and encompasses component relationships, workflow planning, and access policies.
Therefore, a Zero Trust enterprise is the network infrastructure—physical and virtual—and operational policies that are in place for an enterprise as a product of a ZTA plan.
Zero Trust implementation
Zero Trust—a cybersecurity approach that focuses on protecting all resources rather than static networks—leads the movement to reduce and manage cybersecurity risk and address the dissolving perimeter. But the human element of security and digital transformation can’t be ignored. To succeed in securing critical data, agencies must build an agile and adaptive organization with a culture that embraces new ways of working.
Zero Trust is an organization-wide journey that can take years to implement, but agency leaders can use the Zero Trust concepts to guide their first steps toward a more secure architecture. Once Implemented, a ZTA gives users access to only the data they need to accomplish a specific task.
There are multiple steps organizations must take to implement their ZTA, as shown in the graphic below. Zero Trust doesn’t happen overnight; it is a journey rather than a destination, and it will continue to evolve as new threats and solutions emerge.
Public-sector leaders face considerable challenges in their ZTA transitions:
- Legacy systems rely on an “implicit trust” principle, which conflicts with the “adaptive evaluation” principle within a ZTA. Many existing infrastructures that are “implicit trust”-based need to be rebuilt or replaced.
- Rebuilding or replacing IT infrastructure and mission systems requires a significant agency investment.
- Many current Zero Trust initiatives merely focus on the network layer, and lack a more holistic architectural approach.
Know the people, devices, and workloads that touch critical data
Using the new draft Zero Trust guidance, CIOs and agency leaders need to have an understanding of who is accessing data, the devices they’re using, and the workloads that run through them.
Zero Trust requires collaboration across an organization and the support of a dynamic workforce. Unfortunately, federal technology adoption can often stall because of a deeply woven cultural resistance to change; in fact, in a recent ICF survey, 51% of surveyed federal employees say resistance to change is a top reason modernization efforts fail.
Mission leaders are key change agents in motivating and supporting technology adoption. Compared to CIOs and other c-suite executives, mission leaders have a more direct connection with front-line employees, and often have a better understanding of employee needs, opinions, and behavior. That insight positions mission leaders to understand motivations behind resistance to change and support future technology adoption.
Proactive training and education
With the knowledge of where work happens and habits that may make accessing data easier, mission leaders and managers have a better idea of potential security threats, like Shadow IT—the use of unapproved IT and software. Employees may not realize the true risk associated with ignoring or sidestepping security measures and implementing new technology.
Mission leaders should work with CIOs to educate their teams on broader technology and security trends, then use that context to support tools and systems training. Many government agencies don’t have a team of cybersecurity specialists to attend to every threat in real-time, so creating a culture of cybersecurity awareness is crucial.
When it comes to developing a strong and effective cyber workforce, educate your team, help them understand potential threats, and empower them to stay ahead of risks. Zero Trust is all about awareness, shared accountability for cybersecurity, and continuous collaboration amongst teams to deliver business goals.
Provide access to cybersecurity training that outlines best practices and shows real-world scenarios and solutions. For example, the adoption of multi-factor authentication (MFA) and behavioral analytics becomes a critical component of cyber threat detection. These technologies detect and report anomalies in typical employee device usage patterns, such as if a device logs in to the agency network from a new geographic location.
Ultimately, federal CIOs must ensure that their staff members think differently about cybersecurity. Many IT experts implicitly trust their environments and falsely believe that the network firewall keeps hackers away; a mindset shift across the organization should be the top priority.
Lean on the right partners
Amidst COVID-19, employees are more geographically dispersed than ever and agencies are faced with a dissolving network perimeter. With people and devices spread out, it’s become more difficult to defend critical data and networks.
A Zero Trust mentality encourages cybersecurity that is proactive rather than reactive in the face of threats, and agencies need their workforce to embody the same mindset. With predictive monitoring and automated responses, organizations can avoid debilitating threats.
Leaders need to have an understanding of the people, devices, and workflows that have access to agency data. Zero Trust framework elements can act as a guide to creating a government culture that is up to date on security trends, flexible, capable, and willing to learn and adopt new technology and security measures.
Though not all organizations have the resources to build a best-in-class security operations system and team, having the right variety of partners will ultimately enable you to create a stronger and more resilient organization. A Zero Trust Architecture—and the technology and practices required to support it—can take years to implement, but as ransomware threats rise and other threats emerge, agency leaders must help drive the necessary cultural changes and identify the right partners to create a more resilient ecosystem.