Agency Zero Trust Does Not Start From Point Zero

Presented by Grant Thornton Grant Thornton's logo

The steady drumbeat of cybersecurity hacking headlines is a constant reminder of the extent to which government agencies need to go to secure their data and systems. At the root of these hacking incidents are criminals and adversaries seeking to exploit the inherent flaws in traditional cybersecurity architectures, which largely rely upon on a strong network perimeter and often afford too much trust once inside. The proliferation of cloud technology and the need to work from anywhere only exacerbates the challenge of securing data wherever it may be.

Zero trust

“Zero trust” is an evolutionary cybersecurity philosophy that assumes data resides in a hostile environment, regardless of whether it is a traditional agency network or not. For all the right reasons, it is a forever pessimistic view of the world where nothing is trusted. Everything is verified. A zero trust architecture (ZTA) minimizes attack surface, limits user access to the minimum set of resources needed, and mitigates the potential damage resulting from a successful cyberattack. Most importantly, it is a collection of people, process and technology with a shifted focus on protecting data wherever it is – not the traditional mindset of agency network perimeters.

The good news is that consistent IT policy spanning previous presidential administrations has allowed the federal government to slowly put the necessary building blocks in place for the inevitable ZTA journey.

Executive Order 14028: Improving the Nation’s Cybersecurity, issued in May 2021, provides agencies a fresh opportunity to evaluate their cybersecurity posture through the lens of zero trust and encourages agency CIOS to update their budget needs to align with the intent of the executive order (EO).

While there is ongoing work to harmonize the President’s budget request with the requirements of the EO, agencies should welcome the way in which the EO details the ZTA plan requirement because it affords CIOs the opportunity to show progress made so far.

Zero trust is an evolutionary step, not a wholesale replacement of the modern cybersecurity paradigm. Many existing and planned agency investments supporting Continuous Diagnostic and Mitigation (CDM) capabilities, Identity Credentialing and Access Management (ICAM), and Multifactor Authentication (MFA) can be leveraged to support a ZTA, as well as underlying business processes.

New investments and capabilities needed in the future

While key investments are in place, agencies should turn their focus to three key areas that will require additional investment or process enhancement:

  • Data classification and data flows – Zero trust is inherently organized around protecting the data, regardless of where it is. Agencies need to know what systems and data require ZTA protection, how data is used, and how data flows across networks. CIOs should look to partner with other agency stakeholders with similar goals, like chief data officers (CDOs), to gain efficiencies at scale and achieve shared goals.
  • Governance – Zero trust empowers agencies to make significantly improved decisions regarding data access. Decisions are based on increased levels of granularity and factors to assess degrees of trust. Is the user end-point BYOD or agency-issued? Is the user logging in from an unknown location? Does the user need access to a new data set? All of these questions have corresponding degrees of detail that require management, as well as risk-based exception processes. Agencies should be prepared to augment existing governance and risk programs to support this area of increased detail.
  • Network, end point, encryption and orchestration tools – Agencies likely will need to review their procurement plans to review the cost/benefit of replacing traditional on-premise focused protections versus re-directing those resources towards zero trust capabilities such as software defined networks, end point protections and orchestration tools.

What can agencies do next?

Federal cybersecurity received a welcome push toward adopting ZTAs with the cyber EO. Paying for those next steps will not be easy. With federal IT budgets nearly consumed with operations and maintenance needs and limited Funds, agencies need to be creative with how they plan, resource and implement their ZTA plans. With some investments in place now, agencies can begin to benefit from zero trust protections with thoughtful analysis, strategic tool procurement and business process enhancements.

The nature of a zero trust architecture does not require a wholesale lift and shift to a new security paradigm. It can be built from the inside out. Agencies may want to consider building out their zero trust program around their high value assets to develop momentum, lessons learned and improved protections.

This article was originally published in FCW on August 11, 2021 by Russ Ficken, former director of agency engagement for cybersecurity at the Office of Management and Budget, and Joe Stuntz, former director of cyber defense policy at the Office of Management and Budget, director of federal and platform with Virtru. Russ Ficken currently serves as a director specializing in cybersecurity with Grant Thornton Public Sector.

This content is made possible by our sponsor Grant Thornton; It is not written by and does not necessarily reflect the views of GovExec's editorial staff. 

NEXT STORY: Battling Ransomware Goes Beyond Technology

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.