Ask five IT leaders from five different federal agencies to explain zero trust, and you will get five different definitions.
I’ve noticed this disparity when speaking with them during workshops and roundtable discussions. And it’s understandable because any time a new term or technology is introduced, vendors claim that their solutions meet that definition—whether they do or not. Confusion is inevitable.
The fact is that IT and security professionals naturally bring their own experiences and technology lenses to the adoption of any new technology. Let’s take a look at zero trust through some of those federal lenses.
Some federal IT leaders began their exploration of zero trust by looking at their networks. About five to 10 years ago, federal organizations believed the network was the most important thing, establishing security mechanisms around the goal of protecting that network. But times have changed, and federal agencies are now looking beyond the network. One member of a federal cybersecurity team described the role of zero trust as “moving toward a place where logical network placement is not some kind of pseudo-authenticating mechanism, and dissolving, as much as possible, the notion of the strong network perimeter. The pandemic has been a catalyst for people to realize their strong network perimeter isn't what they thought it was.”
Some look at zero trust from an IT perspective. These federal leaders see IT’s role evolving from infrastructure-focused to product-focused or, in some cases, application-focused, and they see zero trust playing a critical part in that. IT’s mission and capabilities are moving toward supporting agency objectives. So, for some IT and networking leaders, zero trust will take on increased importance as it provides more complete security for the transport network—the internet—than legacy security models designed to only protect the data inside your network.
One federal leader I’ve spoken to believes the term zero trust is a misnomer because, if you don't trust anyone, nobody will get anything done. As he described it, the concept of zero trust is really a matter of establishing what trust levels are available and then figuring out what access you're going to grant based on a particular level. So it's just another way to say that entities (people, devices, applications) get least-privileged access, the minimum needed to get the job done.
Another federal IT leader described the concept as variable trust, meaning that a user accessing the network on a corporate-managed or corporate-issued device will garner more trust than someone using an unknown device. The same applies to users attempting to access the network from inside the corporate office as opposed to a remote location.
An important question for many federal agencies is: What are you trying to protect? In many cases, protecting every device isn’t the goal, but rather protecting the data going to and from a device. So agencies are focused on moving protections closer to the assets that they are actually trying to protect.
Federal agencies realize they must consider many factors when it comes to allowing someone access to an app or piece of data: Who is getting access? What are the assurances? How did they authenticate? In short, an agency will trust someone requesting access via a network managed on-prem to a greater extent than other forms of authentication, such as a username or password.
Federal leaders seem to agree that zero trust is a better way to manage access. It's a better way for agencies to truly understand who's accessing their networks and data and what they are doing with that data. And they know you have to continually evaluate a multitude of factors to decide if a person can have and maintain access. As one federal leader said, you have to look at the bigger picture when it comes to zero trust.
As a perceptive member of a federal agency also said, people sometimes forget that it's not always a user accessing data. Your systems are also sharing data, and so are applications, often between different clouds. Many in our industry talk about data as if it's always sitting still, which it isn’t. A zero trust solution must protect data in motion as well as data at rest, applying agency policies with every connection.
So, with federal IT and networking leaders looking at zero trust through different lenses, it might help to create a simple litmus test to determine if a so-called zero trust solution is actually a zero trust solution.
One agency leader suggested looking at a solution and asking, “If the user’s device is inside the ‘castle,’ is that the primary mechanism around the security?” If it is, then it’s not a zero trust solution.
While many within the federal space may have different perspectives on precisely what zero trust is or what constitutes a zero trust solution, in the end, they all have something in common. That is, finding a new way to protect their data, employees, and citizens in an evolving world of cloud, mobility, and telework.