The Top Challenges to Zero Trust Adoption Facing Government Agencies

iStock.com/Olemedia

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Mark Mitchell,
Principal, PJ Cook

By Mark Mitchell

|

Officials must overcome legacy tech and dated requirements.

On May 12, 2021, President Joe Biden signed Executive Order 14028 to improve the nation’s cybersecurity and protect federal government networks. What’s promising about the order is that while its provisions span nine separate sections, the term “zero trust” appears a total of 11 times. While directionally sound, federal agencies are grappling with both an understanding of what zero trust is and how to implement it across their organizations in accordance with the terms of the order.

It’s absolutely critical that, despite the requirements and timelines laid out in the order, federal agencies avoid the temptation to “ready, fire, aim” and instead focus on both a short- and long-term strategy for effective zero trust adoption. From a lengthy procurement process to cultural complacency and political inertia, the government typically doesn’t adopt new technology in a very rapid manner. As a result, many federal organizations are operating on legacy tech—which also means they aren’t as secure as they could be, and they’re not prepared to implement zero trust. 

Legacy Hardware Equals Vulnerable Systems

The first and arguably the biggest challenge to effective zero trust adoption is coming to terms with the fact that legacy may as well be synonymous with vulnerable, and the solutions that were put in place in years past simply weren’t built for today’s environment—and their design wasn’t based on the core principles of zero trust. 

Even tooling that was purchased in recent years will likely fail to meet the requirements of a true zero trust security model—primarily because those security tools were designed with a known perimeter in mind and the primary job of those tools was to keep sensitive data secured inside the perimeter and prevent adversaries from breaching that perimeter. 

But, today’s environments are perimeter-less: users, resources and data are widely distributed, making the traditional castle-and-moat approach to security largely ineffective. 

Requirements Lose Relevance Over Time

A federal organization may assemble comprehensive technical requirements but it’s important to remember that just as the product that was selected based on the requirements ages, so too does the relevance of the requirements. If a security requirement, for example, was written when an agency had its own data centers and servers on-prem, but the agency has since moved all or at least a portion of its data and services to the cloud, then the requirement is no longer applicable. 

Conversely, when thinking about requirements specific to zero trust, they may be written in such a way that federal organizations are expected to rapidly implement an extremely robust and mature solution—something that’s not just difficult, but unrealistic. A mature implementation takes time, especially for large government organizations. 

Not All Tools Are Created Equal

Once federal organizations have resolved to retire their legacy tech and revamp their requirements, the next challenge is identifying the replacement platform solution and determining how to incorporate it into the overall agency architecture strategy. While there are a number of tools available today that market themselves as zero trust solutions, it’s essential to deeply evaluate not just the vendor’s overall perspective on zero trust principles but also their ability to deliver a platform solution that encompasses those principles in a layered approach that’s cloud-smart and data-centric. An effective implementation empowers those responsible for securing their agency with the ability to make educated security decisions rapidly and with confidence. 

With those challenges in mind, there are a few recommendations that can help federal organizations adopt zero trust in a more rapid and effective manner:

Influence the Way Forward

The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency are currently seeking public feedback on guidance documents intended to move federal agencies towards zero trust. There’s no one-size-fits-all approach or solution, so it’s critical that these guidance documents are crafted with input from a myriad of federal organizations. 

Keep Your Focus on Risk

It can be easy to get distracted by all the activities that are involved in a shift to zero trust, so it’s important that those responsible for implementation—and agency security overall—don’t become distracted and lose sight of agency risk. If you lose the ability to identify, measure, understand and act on risks facing your agency, then not only are you failing to adopt zero trust principles effectively, but you’re less secure than when you began. 

To that end, identify and engage a consolidated security architecture group. These are the individuals who may not necessarily be security engineers, but they understand risk within your organization, they can correlate risks and events, and they can assess changes in risk over time based on both internal and external factors, decisions, and events. Engaging with these individuals early and often will help maintain focus on risk while moving through the phases of zero trust adoption. 

Leverage Ongoing Initiatives

Launching a dedicated project for isolation requires dedicated time, funding and resources. While parts of an effective ZT implementation will require each of those, there are often other ongoing initiatives within an organization that can be used to accomplish portions of an overall plan for adoption. In addition to the ability to gain resources that have already been identified and allocated, projects already in flight likely already have a proven connection to business and mission objectives, and value is already being recognized across the organization. Leverage those successes and momentum to decrease the time to value for zero trust adoption; after all, it’s just as important to have a positive association with change culturally as it is technically. 

Participation Isn’t Optional

OMB has outlined security maturity levels and agencies have 60 days to identify critical software, and a year to implement enhanced security measures. Agencies are going to have to balance between meeting the deadlines with proven progress and setting a fine-tuned strategy that fits the nuanced networking and security needs of the agency. Some agencies, for example, may have a higher percentage of remote workers, others may use more cloud apps, while other agencies may deal with a higher volume of sensitive or classified data—these are just a few of the variables that have to be taken into account when setting adoption strategy. While the guidance details are still somewhat uncertain, one thing that’s beyond doubt is that zero trust adoption is real and it’s no longer optional.

Mark Mitchell is principal at PJ Cook LLC.

NEXT STORY: Modernizing Federal Cybersecurity Must Go Beyond Nation-State Defense

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.