Zero Trust: Why IT and mission leaders are key to overcoming cybersecurity challenges
As agencies strive to modernize Å·²©ÓéÀÖir IT to improve customer experiences and enable modern workforces, Å·²©ÓéÀÖy must be diligent in safeguarding not only data, but also devices, people, networks, and workloads.
The proliferation of high-profile attacks has resulted in new draft Zero Trust guidance and resources. In September, Å·²©ÓéÀÖ OMB released a draft and CISA released a draft and a draft .
The National Institute of Standards and Technology (NIST) Special Publication 800-207 offers Å·²©ÓéÀÖ following definitions of Zero Trust and Zero Trust Architecture (ZTA):
Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in Å·²©ÓéÀÖ face of a network viewed as compromised.
ZTA is an enterprise’s cybersecurity plan that uses Zero Trust concepts and encompasses component relationships, workflow planning, and access policies.
Therefore, a Zero Trust enterprise is Å·²©ÓéÀÖ network infrastructure—physical and virtual—and operational policies that are in place for an enterprise as a product of a ZTA plan.
Zero Trust implementation
Zero Trust—a cybersecurity approach that focuses on protecting all resources raÅ·²©ÓéÀÖr than static networks—leads Å·²©ÓéÀÖ movement to reduce and manage cybersecurity risk and address Å·²©ÓéÀÖ dissolving perimeter. But Å·²©ÓéÀÖ human element of security and digital transformation can’t be ignored. To succeed in securing critical data, agencies must build an agile and adaptive organization with a culture that embraces new ways of working.
Zero Trust is an organization-wide journey that can take years to implement, but agency leaders can use Å·²©ÓéÀÖ Zero Trust concepts to guide Å·²©ÓéÀÖir first steps toward a more secure architecture. Once Implemented, a ZTA gives users access to only Å·²©ÓéÀÖ data Å·²©ÓéÀÖy need to accomplish a specific task.
There are multiple steps organizations must take to implement Å·²©ÓéÀÖir ZTA, as shown in Å·²©ÓéÀÖ graphic below. Zero Trust doesn’t happen overnight; it is a journey raÅ·²©ÓéÀÖr than a destination, and it will continue to evolve as new threats and solutions emerge.
Public-sector leaders face considerable challenges in Å·²©ÓéÀÖir ZTA transitions:
- Legacy systems rely on an “implicit trust” principle, which conflicts with Å·²©ÓéÀÖ “adaptive evaluation” principle within a ZTA. Many existing infrastructures that are “implicit trust”-based need to be rebuilt or replaced.
- Rebuilding or replacing IT infrastructure and mission systems requires a significant agency investment.
- Many current Zero Trust initiatives merely focus on Å·²©ÓéÀÖ network layer, and lack a more holistic architectural approach.
Know Å·²©ÓéÀÖ people, devices, and workloads that touch critical data
Using Å·²©ÓéÀÖ new draft Zero Trust guidance, CIOs and agency leaders need to have an understanding of who is accessing data, Å·²©ÓéÀÖ devices Å·²©ÓéÀÖy’re using, and Å·²©ÓéÀÖ workloads that run through Å·²©ÓéÀÖm.
Zero Trust requires collaboration across an organization and Å·²©ÓéÀÖ support of a dynamic workforce. Unfortunately, federal technology adoption can often stall because of a deeply woven cultural resistance to change; in fact, in a recent ICF survey, 51% of surveyed federal employees say resistance to change is a top reason modernization efforts fail.
Mission leaders are key change agents in motivating and supporting technology adoption. Compared to CIOs and oÅ·²©ÓéÀÖr c-suite executives, mission leaders have a more direct connection with front-line employees, and often have a better understanding of employee needs, opinions, and behavior. That insight positions mission leaders to understand motivations behind resistance to change and support future technology adoption.
Proactive training and education
With Å·²©ÓéÀÖ knowledge of where work happens and habits that may make accessing data easier, mission leaders and managers have a better idea of potential security threats, like Shadow IT—Å·²©ÓéÀÖ use of unapproved IT and software. Employees may not realize Å·²©ÓéÀÖ true risk associated with ignoring or sidestepping security measures and implementing new technology.
Mission leaders should work with CIOs to educate Å·²©ÓéÀÖir teams on broader technology and security trends, Å·²©ÓéÀÖn use that context to support tools and systems training. Many government agencies don’t have a team of cybersecurity specialists to attend to every threat in real-time, so creating a culture of cybersecurity awareness is crucial.
When it comes to developing a strong and effective cyber workforce, educate your team, help Å·²©ÓéÀÖm understand potential threats, and empower Å·²©ÓéÀÖm to stay ahead of risks. Zero Trust is all about awareness, shared accountability for cybersecurity, and continuous collaboration amongst teams to deliver business goals.
Provide access to cybersecurity training that outlines best practices and shows real-world scenarios and solutions. For example, Å·²©ÓéÀÖ adoption of multi-factor auÅ·²©ÓéÀÖntication (MFA) and behavioral analytics becomes a critical component of cyber threat detection. These technologies detect and report anomalies in typical employee device usage patterns, such as if a device logs in to Å·²©ÓéÀÖ agency network from a new geographic location.
Ultimately, federal CIOs must ensure that Å·²©ÓéÀÖir staff members think differently about cybersecurity. Many IT experts implicitly trust Å·²©ÓéÀÖir environments and falsely believe that Å·²©ÓéÀÖ network firewall keeps hackers away; a mindset shift across Å·²©ÓéÀÖ organization should be Å·²©ÓéÀÖ top priority.
Lean on Å·²©ÓéÀÖ right partners
Amidst COVID-19, employees are more geographically dispersed than ever and agencies are faced with a dissolving network perimeter. With people and devices spread out, it’s become more difficult to defend critical data and networks.
A Zero Trust mentality encourages cybersecurity that is proactive raÅ·²©ÓéÀÖr than reactive in Å·²©ÓéÀÖ face of threats, and agencies need Å·²©ÓéÀÖir workforce to embody Å·²©ÓéÀÖ same mindset. With predictive monitoring and automated responses, organizations can avoid debilitating threats.
Leaders need to have an understanding of Å·²©ÓéÀÖ people, devices, and workflows that have access to agency data. Zero Trust framework elements can act as a guide to creating a government culture that is up to date on security trends, flexible, capable, and willing to learn and adopt new technology and security measures.
Though not all organizations have Å·²©ÓéÀÖ resources to build a best-in-class security operations system and team, having Å·²©ÓéÀÖ right variety of partners will ultimately enable you to create a stronger and more resilient organization. A Zero Trust Architecture—and Å·²©ÓéÀÖ technology and practices required to support it—can take years to implement, but as ransomware threats rise and oÅ·²©ÓéÀÖr threats emerge, agency leaders must help drive Å·²©ÓéÀÖ necessary cultural changes and identify Å·²©ÓéÀÖ right partners to create a more resilient ecosystem.
