Zero Trust Mythbusting: Simplifying the Search for Transformational Security

Dan Prieto looks back on 2020 as the perfect storm for cyberattacks.

When Prieto, a strategic business executive for Google Cloud Public Sector, thinks about how organizations hurried to set up remote work in response to the pandemic, he notes that many used security practices that weren’t designed to handle the heightened risks. While disruptive cybersecurity events rose sharply in 2020 and 2021, he notes that many could have been curtailed with more sophisticated safeguards, including the implementation of zero trust architectures.

The federal government is now required to implement these types of defenses per the President’s Executive Order 14028 on cybersecurity released earlier this year.

“COVID, forced a rapid push to remote work in a way that many organizations weren’t really ready for. Cyber attackers have increased their targeting of VPNs and remote workers,” he says.

Ultimately, the pandemic and remote work became part of a perfect storm of cyber attacks, with the addition of vulnerabilities that were exposed in the email and identity systems globally, the software supply chain, and food and energy critical infrastructure.

“You couldn’t come up with a more worrisome list of high-profile targets,” Prieto says. “That’s the threat environment people are dealing with — attack after attack.”

Vulnerabilities of Legacy Approaches to Security

The surge in cyberattacks, while disruptive, sheds light on the insufficiency of traditional security models and has forced IT leaders to recognize gaps in their methods.

First and foremost, the uptick has highlighted vulnerabilities of longstanding network-focused security approaches. Large-scale use of virtual private networks (VPN) is one area Prieto says is concerning as it can widen the attack surface and increase cyber risk. Agencies were doubling, tripling and quadrupling the number of people who needed remote access to applications and data as well as increasing the use of VPNs, a network-centric approach to security that provides users with secure access into headquarters and to enterprise applications.

This surge in remote work put additional strain on physical network infrastructures and control points that secure remote user access to applications in the cloud and on the web. As the traffic flow of remote users worked its way through the VPN into headquarters, it exits via a finite number of physical choke points through which all network traffic is funneled and where monitoring is focused. This network-focused security approach poses a slew of user-experience, management, and scalability concerns.

While VPNs helped get people remote, using them as a core solution for the long term is “brittle” and difficult to sustain, Prieto says. As employees began using their own devices, threat actors were able to gain remote access to the network via the VPN, breaching the network to steal identities.

A perimeter-based approach is no longer effective, says Prieto. But more granular and discrete controls within the network once someone gains access could prevent a threat actor from accessing an entire enterprise via a single access point, Prieto says.

A network-focused approach illuminates how difficult it is to spot anomalous behavior.

“On the analytics side, organizations struggle to take full advantage of all cyber-relevant data and information that is generated within their enterprise.

They struggle to effectively integrate and analyze it all, in a timely manner, to detect threats, to see whether someone is not actually who they say they are, or doing things they shouldn’t be doing,” Prieto says.

An anomaly should set off alarm bells, but some organizations lack the storage capacity and analytics capabilities to proactively interrogate the data they’ve amassed to assess whether they’ve been compromised. Security teams — which are already working at or beyond full capacity — have a tendency to respond to rising attacks by setting up more traditional defenses: more compliance, more training, more tools, more point solutions, more people.

However, given the speed with which cyber attackers can operate, the complexity and fragmentation of IT systems and tools, and the sheer volume of data needing analysis, cyber defenders need to work smarter, not just harder.

That’s where accelerating zero trust efforts with a trusted partner, like Google Cloud, can help.

Busting Zero Trust Myths

Zero trust isn’t a particular security product or set of products. “It is the intentional integration, layering, and orchestration of multiple security capabilities to drive a particular set of improved security outcomes,” Prieto says. No user or machine is assumed to be trustworthy when attempting to gain access to an application or the data behind it — even if they’ve gained access to the network.

Myth #1 — It’s Only About Products

It’s not about buying any particular new security products. Instead, it’s about seamlessly knitting together a range of layered security capabilities to drive improved security outcomes. Starting a decade ago, after suffering a nation state cyber attack, Google took that approach to implement zero trust on a global scale across its infrastructure and for all of its employees.

Google implemented a wide range of changes to ensure that:

1. Connecting from a particular network must not determine which services you can access

2. Access to services and data are granted based on what is known about you and your device

3. All access to services must be authenticated, authorized and encrypted

After perfecting its internal approach to zero trust, Google Cloud has externalized many of those security capabilities within its solutions, including Google Workspace, for zero trust collaboration and communications, and BeyondCorp Enterprise, for zero trust secure remote access with integrated threat and data protection.

Myth 2 — There’s No Way to Speed Adoption

The difficulty agencies are facing now is how to most effectively implement zero trust for themselves. They need to leverage a range of existing security investments and capabilities and bring in new capabilities. Moreover, they need to bring it all together in a way that, ideally, improves security outcomes, makes management more streamlined and efficient, and improves the user experience.

Trying to do this without the right plan and the right partners in place will be a daunting undertaking. By adopting the proven zero trust security capabilities that are natively built into Google Cloud’s products, government departments and agencies can accelerate their own journeys to zero trust.

Myth 3 — Turnkey Zero Trust Solutions Don’t Exist

Zero trust works by diligently affirming each user’s identity. “There are multiple checks before we grant access to someone or their machine to an application or data,” Prieto says. “There is no presumption that just because you’re coming in from a certain network or that you have a certain username and password that you actually are who you say you are.”

That’s because for Google Cloud, traditional security measures that are widely relied on — name and password, presence within a corporate network — are never sufficient on their own to grant access to critical IT resources. For far too long, it has been too easy for threat actors to pretend to be someone they’re not. Powered by Google’s zero trust security capabilities, agencies can more effectively stop attacks in their tracks.

“If you use Google Workspace, you are in a turnkey, zero trust environment for email, collaboration and secure communications,” Prieto says.

Myth 4 — Zero Trust Is a Burden for Remote Workers

When planning their zero trust journeys, it is important for agencies to have a clear sense of their most essential IT assets and activities. Armed with that knowledge, agencies should make it a priority to accelerate zero trust protections for applications and data first.

“It’s important to acknowledge that you might not be able to implement zero trust for everything in the enterprise, all at the same time,” Prieto says. “Secure the highest value assets and activities first.”

Working with Google Cloud, agencies can more effectively protect resources holistically. Networks cease being the central element of security. For remote workers, the reliance on VPNs can be significantly reduced, improving workflow and security.

Innovation at DIU Addresses Zero Trust Requirements for Traffic Monitoring

Taking a zero trust approach to key aspects of security within an agency can help foster a culture of innovation. One such example of innovation can be seen at the Defense Innovation Unit, a Pentagon organization that helps accelerate the Department of Defense’s adoption of commercial technology to address mission-critical DOD use cases.

Under federal policy, agencies must rely on a limited number of internet access points to access data and applications in the cloud. Within DOD, they’re referred to as cloud access points. Cloud access point, or CAP, sensors allow the Defense Information Systems Agency (DISA) to monitor traffic passing through it. Traffic monitoring requirements are also a part of zero trust guidance from the National Institute of Standards and Technology, from DISA, and from the National Security Agency. With the help of Google Cloud, DIU adopted a virtualized alternative to the CAP.

According to Prieto, traditional security architectures have required government employees who want to access cloud applications to transit via VPN onto government networks and then to pass through internet access points for security monitoring and inspection.

With the COVID surge to remote work, the combination of VPNs, the “hairpinning” of traffic through department networks, and the required passage through a finite number of internet access choke points has created issues around latency performance, scalability and manageability.

“Those choke points exist within a paradigm of security that is still very network-focused,” Prieto says. “I have a physical choke point through which traffic must flow and through which I must monitor traffic.”

And, in the case of DIU, the innovative use of containers for traffic monitoring transformed scalability and performance as compared to the CAP choke points.

Overall, the traffic management and traffic inspection are much more efficient and seamless. Remote users can securely access cloud applications without transiting VPNs, the departmental network, or the CAP. For on-prem users, they can securely access the cloud without transiting the CAP. Instead of a physical hardware-based set of access points monitoring traffic, Google Cloud’s work with DIU leverages containers to provide a virtualized, software-defined alternative to the physical CAPs.

“It’s much more scalable because the containers can be positioned in front of, and provide traffic security monitoring for, an application wherever it resides, in any cloud or on-premises,” Prieto says. With its zero trust solutions, Google Cloud takes an identity-oriented approach to zero trust architectures.

“We focus on user, machine, context, and behavior — not networks,” says Prieto.

While this is a dramatic departure from the traditional focus on the network as the primary operational focus for security, NIST’s 800-207 Zero Trust guidance recognizes such architectural variations as important and viable options to give agencies important flexibility as they seek to reduce cyber risk by implementing zero trust for themselves.

Google Workspace Offers a Secure Agency Solution

As DIU and other government agencies seek to implement zero trust architectures, Google Cloud can accelerate their journeys in other ways, as well. Early in 2021, a series of high-profile attacks targeted legacy email systems. This led the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency to order federal agencies to disconnect on-prem Microsoft Exchange email servers.

Despite various protective and remediation efforts, executive leadership at certain departments and agencies determined that their legacy email systems were no longer trustworthy. This led a number of government organizations to increase their use of Google Workspace as a secure and resilient alternative to commonly used legacy enterprise collaboration and email tools. Executive leadership and mission-critical personnel are using Google Workspace today as a secure alternative to legacy email. Some organizations are also considering implementing Google Workspace as a cold backup, running in the background and parallel to existing systems, replicating email and documents.

“If at some point in the future, there’s another attack or a significant change in the risk environment, you can cut over immediately, without missing a beat, to a secure zero trust communications and collaboration environment that resists increasingly common attacks like ransomware,” Prieto says. Government organizations need to come to terms with the fact that too many of the common tools and applications they use today are a persistent source of vulnerability and a frequent vector for cyber attacks.

To ensure continuity of operations, it is critical to implement alternative solutions that are more resilient because they provide reliable zero trust security. Google Cloud also boasts resilience against distributed denial-of-service attacks. Its security, resilience and engineering teams heavily focus on performance load, considering Google Cloud handles massive surges in traffic. This important search for resilience extends to other areas, as well.

Take patching and Dedicated Denial of Service, or DDoS, attacks for example. A substantial number of successful attacks occur due to a failure to deploy software patches in a timely manner. Google Cloud automatically patches against vulnerabilities in the background, minimizing downtime for customers and enabling critical business to continue as usual.

In addition, Google’s global infrastructure and solutions like Cloud Armor help protect against DDoS attacks. Another critical area where Google Cloud can help government organizations transform security is in speeding their ability to detect threats. Being able to do this is critical, as attacks become more frequent and adversaries can typically penetrate victim systems within minutes to hours, while defenders typically don’t discover threats for months or even years.

With Google Cloud’s Chronicle threat detection solution, organizations can identify threats faster. Customers can cost-effectively store multiple years of highvolume IT and cybersecurity log data, readily analyze it, and quickly detect threats that might otherwise go unnoticed for long periods of time.

Google Cloud’s security offerings aren’t meant to rip and replace security stacks already in place. They can often augment existing agency security efforts with agile and cost-effective cloud native security capabilities. Ultimately, Google Cloud’s mission is to provide thought-out, well-managed, scalable solutions that accelerate an agency’s zero trust journey. The recent dramatic rise in cyber attacks — often by nation state adversaries and often threatening the integrity of key government capabilities and the availability of critical infrastructures — makes it clear that U.S. national security depends on strengthening cyber protections, speeding threat detection, and improving resilience.

Cloud native security capabilities can help government organizations on all these fronts to be prepared for the next crisis.

Learn more about how Google Cloud’s solutions and services can help agencies integrate zero trust into their security strategy.