This article originally appeared in Forbes.
Numerous agencies have adopted zero-trust architectures in response to government-wide efforts to decrease IT expenditures and fight against intrusions. Along with securing business infrastructures (physical and virtual), establishing zero trust adds an extra layer of security that restricts the effect of a network intrusion by a bad actor. Zero trust may be characterized as an all-encompassing cybersecurity architecture that spans systems, networks, and applications to prevent and defend against existing and future threats.
Given that each agency often has its own security products and services, securing an organization may be a challenging task. Under the Executive Order on Improving the Nation’s Cybersecurity issued by the Biden-Harris administration and a deployment and integration roadmap from the Department of Defense Zero Trust Reference Architecture, government agencies “can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”
The term zero trust has become much more prevalent than a few years ago because it’s no longer a speculative cybersecurity model but a more widely accepted mainstream methodology. Although executive leadership is responsible for a zero-trust policy, all members play a vital role in its deployment and success. Your information security team can advise on and manage a plan and structure, but the leadership must commit to funding this initiative and assisting with securing staff buy-in and cooperation. Training is critical to the continuity and success of a zero-trust architecture.
Zero-Trust Best Practices
Agencies can move quickly and safely by implementing the following zero-trust best practices to deliver on the government’s outcome-focused initiatives:
• It’s a journey, not a destination. Meet and discuss zero trust so that everyone understands the principles and purpose of the framework and why a plan should be adopted. After deliberation, draft a plan for the enterprise that integrates zero trust into annual budgeting and planning to ensure continuity. Once a plan has been accepted and ready to deploy, provide employee training and information sessions that include an explanation of zero trust and its importance for your enterprise and its clients’ and employees’ data safety.
• Checking the box isn’t due diligence. Government agencies are under a flurry of box-checking activities to meet the Federal Information Security Management Act (FISMA) requirements—many relying on the step-by-step process from the NIST Risk Management Framework (RMF). With agencies having full autonomy in implementing zero trust across their enterprises, many aren’t continuously reinvesting in the methodology. Your information security team must stay up to date, reminding current employees of policies and procedures while ensuring new employees receive appropriate training and information. Failure to do so gives attackers the competitive edge to outsmart sophisticated digital defenses, compromising modern work environments because people, devices, apps and data are constantly at risk.
• Identifying patterns helps recognize abnormalities. Bad actors adapt quickly to digital ecosystems. Ensure that any access is limited with a set of permissions and validations necessary for each request and no long-term access to the network. By continually managing, observing and tracing requests, agencies know where access originates and where it exits.
Due to the enormous move to remote labor, the old corporate boundary has disintegrated, exposing new cyber threat vulnerabilities and increasing the attack surface. The Covid-19 pandemic highlighted the disparities citizens face when interacting with their governments, leading agencies to rebuild faith in eroding environments of trust and resulting in agencies undergoing massive digital transformations.
As agencies begin their zero-trust journey, their first core priority varies. Some start with applications, whereas others leverage user identity. Either way, senior leadership must lead the charge and agree that zero trust is essential for adopting a new security philosophy across digital ecosystems. By taking a targeted approach to addressing specific areas of improvement based on resources, the government can build back trust while establishing an end-to-end cyber strategy operating under the lens that bad actors are always on their networks.
The Promises Of Zero Trust
Adopting zero trust into agency architectures can instill confidence, improve trust and keep government mission-driven promises at the forefront, which include:
• The promise of providing secure systems for the digitalization of citizen services.
• The promise of confidentiality of personally identifiable information (PII), which requires the highest security parameters for protected systems.
• The promise of high-impact service provider (HISP) continuity by fostering meaningful interactions.
• The promise of underlying data integrity to protect and defend against data leaks and corruption.
In addition to turning to the private sector for insights on rebuilding trust and integrating new and creative solutions, agencies are increasingly seeking zero-trust strategies that deliver on the promises of progress. And they’re leaning on the private sector’s expertise and skills to assist and overcome future security challenges that outsmart cyber attackers. Achieving this requires the government to, when possible, adopt industry best practices and lessons learned to remain competitive in a rapidly changing technology environment.
Andy Zeswitz is CTO at REI Systems. He drives REI’s overall vision and strategy for technology and innovation.