Why Government Needs to Move Quickly to Zero Trust

vs148/Shutterstock.com

Most experts agree that the best path forward would be zero-trust networking, although the concept is defined differently depending on who you happen to ask.

With so many government employees working from home, and no indication that this will end anytime soon, the federal government needs to upgrade the way it handles networking to tighten security for this new environment. Most experts agree that the best path forward would be zero-trust networking, although the concept is defined differently depending on who you happen to ask. Entire books could be written about the intricacies of zero trust, but by way of an explainer here, I will attempt to clearly define it for anyone considering upgrading security for their agency.

The federal government was already taking steps towards zero-trust networking late last year in an effort to improve overall security. The NIST National Cybersecurity Center of Excellence (NCCoE) and the Federal CIO Council hosted a two-day Technical Exchange Meeting on defining zero-trust architectures last November. And then in February, NIST updated its Special Publication 800-207, which helps to make the case for zero trust in government. So the government was already thinking about zero trust. It’s just much more necessary now with the pandemic forcing so many people to work from home.

The special publication gives a nice overview description on zero trust. “Zero trust is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets and resources,” it says. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).”

The document brings up a good point that under current networking policies, users coming in from a trusted network such as another government agency, or from a location where they have already verified their credentials, are normally given full access to data and agency resources without further review. But zero trust instead considers the fact that because everything is connected, that it’s possible that a so-called valid user might actually be an attacker. At the very least, every user is monitored based on their activity.

Defining Data Sensitivity

Unfortunately, getting to zero trust can’t be done with a single product or platform. It often requires a bunch of different technologies like multifactor authentication, single sign-on, continuous monitoring and others working together in a zero-trust framework. But that also means that it can be implemented in stages, with various components coming online where they can do the most good and with the least amount of disruption. It’s why the government is backing programs like Continuous Diagnostics and Mitigation (CDM) and Federal Identity, Credential and Access Management (FICAM) as steps along the path toward the ultimate goal of zero trust. 

One of the foundations of zero trust is the categorization of data, applications and assets based on their importance or, especially in the case of government, secrecy levels. For example, you could categorize an entire database as critically important, while an agency’s web servers are defined as needing less protection. Applications and services should also be defined by security or secrecy. In a highly secure environment, even individual files and folders could be flagged as needing upgraded protection.

Once data and assets are categorized, agencies can take that information and build zero-trust policies around it, especially if they have also implemented CDM. For example, a user who came from a trusted network might be OK if they want to access information about their federal holidays. But if that same user wants to search for personal information about other employees, they should probably be challenged to prove their identity and verify that they are able to look at that data. 

This could be done in a variety of ways, with the most common being the issuing of a multifactor authentication (MFA) challenge where they have to enter a code sent to their smartphone, or enter the algorithmically-generated PIN on their government-issued security token. Only then would they be allowed to proceed with viewing any data with a higher classification.

Evaluating Risk

The example I made up was a pretty simple one to show how zero trust works. Unfortunately, it's normally a lot more complicated than that. In a well-designed zero-trust environment, there are thresholds of activity and circumstances that define risk, and how much of it an agency network should accept before challenging users for additional credentials. And it can be a tricky balancing act.

When continuously evaluating a user, activities such as if they are connecting to the network from a valid location, the strength of their password, if they are using an approved device and what they are trying to do should all be considered. If any of those evaluations are not met, like if a user is working from a foreign country that they have never logged in from before, it still might be okay to give them access to shared or non-classified information. Perhaps they are traveling abroad. So that might be an acceptable level of risk.

However, if that same user crosses another threshold, like if they are using a smartphone that has not been approved, or if they suddenly want to access more critical data, the risk might suddenly be too high. In that case, zero trust would automatically take additional steps. They might be given an MFA challenge, temporary blocked or even booted from the network depending on the severity of the risk spike and how zero trust is defined for that agency.

Getting to Zero

Given the complexity of zero trust and the size of most agency networks, it’s no wonder that government is taking its time getting to zero. Zero trust is also well-known enough today that there are lots of resources for agency officials looking for more information. 

The NIST special publication is, of course, highly recommended. Another good report was created by the American Council for Technology-Industry Advisory Council at the request of the Federal CIO Council, that defines six strong pillars for a zero trust security model. Research firm Forrester defined a zero-trust philosophy that it calls a Zero Trust eXtended (ZTX) Ecosystem, while Gartner calls its model Continuous Adaptive Risk and Trust Assessment (CARTA). Google also has a working model of zero trust that it calls BeyondCorp.

The pandemic has enhanced the government’s interest in zero trust, but it was already moving in that direction beforehand. With the research and work already put into defining zero trust within government, federal agencies are in a good position to at least begin putting elements of the platform in place. In many cases, different components probably already exist in most federal networks. They just need to be tied together into a zero-trust model that works for government.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.