Agency Zero Trust Does Not Start From Point Zero

The steady drumbeat of cybersecurity hacking headlines is a constant reminder of the extent to which government agencies need to go to secure their data and systems. At the root of these hacking incidents are criminals and adversaries seeking to exploit the inherent flaws in traditional cybersecurity architectures, which largely rely upon on a strong network perimeter and often afford too much trust once inside. The proliferation of cloud technology and the need to work from anywhere only exacerbates the challenge of securing data wherever it may be.

Zero trust

“Zero trust” is an evolutionary cybersecurity philosophy that assumes data resides in a hostile environment, regardless of whether it is a traditional agency network or not. For all the right reasons, it is a forever pessimistic view of the world where nothing is trusted. Everything is verified. A zero trust architecture (ZTA) minimizes attack surface, limits user access to the minimum set of resources needed, and mitigates the potential damage resulting from a successful cyberattack. Most importantly, it is a collection of people, process and technology with a shifted focus on protecting data wherever it is – not the traditional mindset of agency network perimeters.

The good news is that consistent IT policy spanning previous presidential administrations has allowed the federal government to slowly put the necessary building blocks in place for the inevitable ZTA journey.

Executive Order 14028: Improving the Nation’s Cybersecurity, issued in May 2021, provides agencies a fresh opportunity to evaluate their cybersecurity posture through the lens of zero trust and encourages agency CIOS to update their budget needs to align with the intent of the executive order (EO).

While there is ongoing work to harmonize the President’s budget request with the requirements of the EO, agencies should welcome the way in which the EO details the ZTA plan requirement because it affords CIOs the opportunity to show progress made so far.

Zero trust is an evolutionary step, not a wholesale replacement of the modern cybersecurity paradigm. Many existing and planned agency investments supporting Continuous Diagnostic and Mitigation (CDM) capabilities, Identity Credentialing and Access Management (ICAM), and Multifactor Authentication (MFA) can be leveraged to support a ZTA, as well as underlying business processes.

New investments and capabilities needed in the future

While key investments are in place, agencies should turn their focus to three key areas that will require additional investment or process enhancement:

• Data classification and data flows – Zero trust is inherently organized around protecting the data, regardless of where it is. Agencies need to know what systems and data require ZTA protection, how data is used, and how data flows across networks. CIOs should look to partner with other agency stakeholders with similar goals, like chief data officers (CDOs), to gain efficiencies at scale and achieve shared goals.
• Governance – Zero trust empowers agencies to make significantly improved decisions regarding data access. Decisions are based on increased levels of granularity and factors to assess degrees of trust. Is the user end-point BYOD or agency-issued? Is the user logging in from an unknown location? Does the user need access to a new data set? All of these questions have corresponding degrees of detail that require management, as well as risk-based exception processes. Agencies should be prepared to augment existing governance and risk programs to support this area of increased detail.

• Network, end point, encryption and orchestration tools – Agencies likely will need to review their procurement plans to review the cost/benefit of replacing traditional on-premise focused protections versus re-directing those resources towards zero trust capabilities such as software defined networks, end point protections and orchestration tools.

What can agencies do next?

Federal cybersecurity received a welcome push toward adopting ZTAs with the cyber EO. Paying for those next steps will not be easy. With federal IT budgets nearly consumed with operations and maintenance needs and limited Funds, agencies need to be creative with how they plan, resource and implement their ZTA plans. With some investments in place now, agencies can begin to benefit from zero trust protections with thoughtful analysis, strategic tool procurement and business process enhancements.

The nature of a zero trust architecture does not require a wholesale lift and shift to a new security paradigm. It can be built from the inside out. Agencies may want to consider building out their zero trust program around their high value assets to develop momentum, lessons learned and improved protections.

This article was originally published in FCW on August 11, 2021 by Russ Ficken, former director of agency engagement for cybersecurity at the Office of Management and Budget, and Joe Stuntz, former director of cyber defense policy at the Office of Management and Budget, director of federal and platform with Virtru. Russ Ficken currently serves as a director specializing in cybersecurity with Grant Thornton Public Sector.