As government applications move to the cloud and more and more services are provided digitally, the number of citizens accessing services online has increased dramatically. With many organizations adopting work from home policies, and COVID-19 encouraging people to spend less time in public places, government agencies are under pressure to provide online services.

One of the top priorities is to modernize application infrastructure and mitigate risks from lateral movement. Another priority is to improve user experience and efficiency, especially for citizen access to services. The goal is to enable constituents to interact efficiently and securely from anywhere, rather than having to come to a physical location and interact with paper.

The 2021 Adobe Digital Government Services Survey showed that 77% of citizens surveyed would use more government services if they were accessible from the Internet. At the same time, few government agencies say they have the capabilities to deliver their services from the Internet in a secure and effective manner.

Most government agencies host public facing services for their citizens. Realizing that there is no defined standard for consolidated agencies to comply with, each agency runs their own individual security programs.

Traditionally, organizations have protected data centers and offices with the castle and moat architecture. That was great when people drove to work every morning and citizens came to a physical location to interact with the government. Still, as people started working remotely, VPNs became a necessity, extending the network and creating more risk of compromise. Eventually, organizations started shifting to cloud infrastructure, leading to a natural evolution of extending the network into the cloud, exposing multiple attack surfaces.

As the network access has changed and expanded beyond the on-premise data center, the traditional architecture creates more opportunity for attacks and compromise. Who’s on the other end of the VPN, where are the connections coming from, and how do we prevent lateral movement across the network from a single access point? We’re creating doors and windows of access within these protected networks and it has become very challenging to protect data while delivering a good user experience, for employees, partners or citizens.

The First Step

Traditionally, citizens access government services by typing a URL into a web browser. There are inherent security risks with this approach, as citizens (users) are connected directly to the web application over the internet. The firewalls protecting the application provide attack surfaces for bad actors, and vulnerabilities in firewall or applications can be exploited.

Some agencies have taken a first step to addressing these challenges by adopting some concepts of a “Zero Trust Architecture”. Zero Trust states, among other things, that no user should have access to any resource, without first being authenticated. When citizens are authenticated prior to gaining access to services, agencies gain significant visibility and control

over application access. As a result, many agencies have adopted identity programs that allow citizens to authenticate via social media platforms (Instagram, Google, LinkedIn) as well as using Multi Factor Authentication (MFA). This eliminates the need for agencies to manage login credentials for all citizens, while still providing the ability to manage access.

This is a great first step that is essential in the journey to Zero Trust, but still leaves some gaps. Even after authentication, an agency’s firewalls, applications, and services are still visible to the internet, and bad actors can still discover and attempt to compromise those components. We can start the concept of understanding identity and who our users are, but the network is still reachable. The infrastructure is still on the Internet. Is there a way to make a secure connection without spending substantial resources on rearchitecting and redesigning the infrastructure or making massive changes in the near term? Zscaler thinks there is, and that’s what leveraging zero trust strategies is all about.

Zero Trust Citizen Access - How it Works

ZTCA is a new capability in Zscaler Private Access (ZPA) that has been designed specifically to provide citizens with simple, secure and highly scalable access to any public web or legacy applications.

Zscaler’s Zero Trust Citizen Access provides a complete Zero Trust architecture for government agencies by not only requiring user authentication for every citizen, but also removing firewall and application attack surfaces by “hiding” web applications - including legacy apps - from the internet, making them undiscoverable to potential attackers.

Using ZPA’s - Browser Access solution functionality, Agencies do not need to maintain heavy security infrastructure. ZPA, serves as an Embedded Application Security architecture, and helps replace the following:

Remote access services
SSL portals
External FW / IPS infrastructure
DDoS protection
Global Load Balancing
Dedicated Internet & WAN circuits

In contrast to the traditional approach discussed prior, citizens do not establish direct connections to firewalls, web servers, or applications. Citizen users are connected only to the Zscaler cloud once they are authenticated. The Zscaler cloud validates access policy for that user and leverages a technology called “Application Connectors” to connect that user to their requested application.

Application Connectors sit in front of applications and allow them to communicate with the Zscaler cloud, but not the public Internet. This means that applications are not visible or discoverable from the internet, and because they can’t be seen, they can’t be attacked. Application Connectors effectively remove the attack surface from the process.

When a citizen successfully authenticates, Zscaler proxies the connection between the citizen and the Application Connector – it “stitches” the connections together temporarily, for only the duration of the web session. This means the application is only accessible to authorized users (citizens) who have authenticated to the Zscaler cloud. This approach also allows for a number of other measures to be taken that provide mitigation against a range of network-based attacks.

Zero Trust is a cybersecurity strategy that focuses on restricting access to only those who need it at a given time. This approach has traditionally been used for internal networks, but it can also be applied to external-facing websites to create Zero Trust Citizen Access. This approach involves adding a layer of Zero Trust outbound-only connections to constituent-facing websites, reducing the vectors of compromise and increasing security.

Implementing Zero Trust citizen access does not require a complete infrastructure overhaul, nor does it take years to implement. It is a layer that can be added onto existing infrastructure to provide near-term value. Citizen access remains the same, with users going to the same URLs and experiencing the same user interface. The only change is the addition of an identity prompt that allows for explicit usernames and passwords or social logins.

ZTCA leverages application segmentation, a key facet of ZPA that creates a segment of one between a named citizen and a named application. It means that citizens are never brought on the network and the application is never exposed to the Public Internet.

Public agencies can rely on ZTCA to deliver real-time visibility into citizen activity, identify citizens who access applications via browsers, eliminate the public attack surface, reduce the risk of lateral movement all while greatly increasing the scalability of their services.

Standardizing critical infrastructure is essential for creating a robust cybersecurity posture, ensuring efficient communication between government agencies and their constituents. Organizations should shift focus to modern cybersecurity maturity models that reduce attack surfaces, implement best practices, and standardize critical infrastructure. As technology evolves, it is essential to maintain the security and efficiency of critical infrastructure.

For more information about Zero Trust Citizen Access: