Five Steps to Zero Trust Network Security

Federal decision-makers are working hard to address mounting cybersecurity issues, putting in place numerous mandates and orders to help stem the tide of network security vulnerabilities and incidents. A recent memo from the White House, for example, requires federal agencies to adopt a zero trust architecture to better defend against increasingly sophisticated and persistent threats.

A big part of zero trust addresses networks—one of the most popular ways that threat actors infiltrate agencies. Zero Trust Network Access (ZTNA) controls access to applications by requiring verification of users and devices before every application session. It also confirms that users and devices meet agencies’ policies to access the applications for which they are requesting access.

Even though agencies are paying close attention, achieving true zero trust architecture isn’t easy. According to a recent Fortinet FortiGuard Labs Report, 75% of the respondents indicated that they understand the concept of zero trust yet more than half still face gaps and indicated being unable to implement zero trust capabilities.

“The concept of zero trust encompasses everything from the thought process of establishing resources and determining who has access to them all the way through to the development of the application and its lifecycle, and everything in between,” said Bill Lemons, a senior systems engineering manager at Fortinet Federal. “The concept is so overarching and all-consuming that every organization is challenged trying to implement an end-to-end, full zero trust architecture. It’s a monumental lift.”

While achieving a comprehensive zero trust architecture can be complicated, implementing Zero Trust Network Access, or ZTNA, can be a huge step toward true zero trust. Breaking it down further, into more manageable steps can help.

1. Set expectations and gather your team

While it’s tempting to dive in head-first, setting the stage can pay big dividends. That means:

• Read everything you can about zero trust and ZTNA, ask questions, and consult with other agencies further along on the journey
• Determine who should be involved. In addition to the CISO, important stakeholders include representatives from the network, data, software development and citizen services teams, as well as application owners and line-of-business owners, such as HR and finance.
• Publicize your initiative internally. It’s much better to explain what’s coming and answer questions staff may have before making changes. Acceptance will be much higher with this approach.
• Set up a common vocabulary. Every agency—and every vendor—has its own terms for different functions and technologies. Standardizing these terms at the beginning is a best practice.

2. Decide which capabilities and processes are most important

One of the most important capabilities in any zero trust mindset is least privilege, which ensures that users and devices have access to only the resources they need. Least privilege also should include the ability to terminate access if users or devices take prohibited actions. It’s also important to be able to authenticate users and devices on an ongoing basis, monitor users post-authentication, fully integrate resources and provide secure access at the application level.

From that point, the capabilities and processes most important to an organization will vary depending on priorities, the type of business the agency performs, and the regulations they must comply with. It pays to be specific. For example, not all applications, and the data within those applications, require the same level of control and granularity. Input from users and security staff can help define how granular and controlled access to specific applications and data should be. This is where older applications that are still relevant may require rewriting or replacing, because they probably don’t have the necessary code and programmability to get granular enough. Creating a playbook can help.

Check out the full article here!