Federal agencies working to secure hybrid environments are rethinking traditional security strategies. Looking for options that make sense for cloud-enabled, highly mobile teams, many agencies are piloting zero trust network access (ZTNA) solutions, such as Zscaler Private Access.
I spoke on a zero trust panel of federal and industry leaders at the ACT-IAC Imagine Nation ELC Conference along with Darren Death, CISO, ASRC Federal; Brig. Gen. Gregory J. Touhill, Ret., President, Cyxtera Federal Group; Theodore Gates, Consultant, Cisco Systems Inc.; and Steven Hernandez, CISO and Director of Information Assurance Services, Department of Education. We discussed how to define zero trust, and how industries and agencies can work together to implement zero trust in government.
Zero trust pivots from traditional security policies that grant all users open access to data to a modern policy requiring continuous user authentication and authorization. By treating all users, devices, data, and service requests the same, zero trust allows IT administrators to enforce accurate access policies. The initial assumption is that an organization does not instinctively trust any user.
Agencies need zero trust to keep up with modern IT environments—more cloud data storage and consistently evolving cyberthreats.
"That’s where the conversation starts," Hernandez said, adding, “We used to trust the LAN, but we can’t do that anymore. Once people started to get phished by an attacker on the inside, the premise that I can trust the network due to the physical connection, or the IP address, had to go away.”
Zero trust: strategy or architecture?
Some argue zero trust is an architecture; others, a strategy.
But, zero trust is both. It is larger than just the network. It’s an architecture and a strategy built around data. When you think about zero trust, it’s about how we take a homogenous environment and look at who is accessing our data, why they need access, and how they are accessing it.
As an architecture, zero trust provides visibility into networks to ensure the right person, device, and service has access to the data they need while protecting high-value assets. But, zero trust is also a strategy, because it’s an entire government effort to educate the federal workforce and develop a culture around the philosophy of the zero trust strategy.
Where to go from here
Zero trust recognizes the need to keep security simple—particularly as our networks become more complex. This is where tools, such as the popular multifactor authentication, comes into play—it’s dynamic and enforced, yet easy for any user to follow. Zero trust implements this authentication practice to ensure that data is protected, and a user’s network location does not imply trust. Any process or tool that makes security harder for a user or operator will increase risk and make it more difficult to properly protect sensitive information.
As the first cloud services provider to receive FedRAMP ready status at the High Impact level for a dedicated zero trust remote access platform, Zscaler significantly simplifies the process. We help federal teams access sensitive applications and data from anywhere on any device using a software-defined perimeter, not appliances, to provide comprehensive security and a fast, seamless user experience. Access is the same whether agency applications are hosted in the government data center, in the AWS GovCloud, or in another service.
Here’s the bottom line: implementing zero trust requires effort from the entire agency or organization. Because the architecture can affect a program system’s performance, security, and risk, as we state in the ACT-IAC white paper, it is crucial for agency heads and program leaders to work together with IT teams on zero trust design and implementation. Zero trust needs to be mission-driven, not IT-driven, to be successful.
To learn more, see the new NIST’s Draft SP 800-2017, Zero Trust Architecture report as well as the recently released ACT-IAC zero trust white paper. These resources provide use cases, details on federal requirements and certifications, and recommendations to overcome challenges and take advantage of the benefits of implementing zero trust.
Stephen Kovac is the Zscaler Vice President of Global Government and Head of Corporate Compliance