Federal agencies are under pressure to adopt zero trust in order to build cybersecurity resilience into their IT networks and environments.
Both President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity and the federal zero trust architecture strategy from the U.S. Office of Management and Budget (OMB) make this an explicit priority. Under these guidelines, federal departments and agencies are tasked with implementing zero trust to strengthen their cyber defenses by the end of fiscal 2024.
The challenge is that zero trust is not one specific product or technology. It’s a methodology coupled with a change in mindset. Rather than viewing zero trust through a narrow lens, as a specific product or technology, agencies and institutions need to take a more holistic and comprehensive approach.
“In developing their strategies, agencies need to consider the entire ecosystem of controls — network, endpoints, cloud, applications, Internet of Things devices, identity and more — that they rely on for protection,” said Drew Epperson, Senior Director of Systems Engineering in Public Sector with Palo Alto Networks.
Eliminate Implicit Trust
At its core, a holistic approach to zero trust is about eliminating implicit trust across the organization. This means eliminating implicit trust related to users, applications and infrastructure.
- Users: “Zero trust for users starts with establishing strong identity controls that must be continually validated for every user,” said Epperson. “This includes using best practices such as multifactor authentication and just-in-time access, which is granting users access to applications or systems for a predetermined period of time, on an as-needed basis.”
- Applications: The shift to cloud is driving new application development practices and faster application rollout. “Design with zero-trust principles from the start when it comes to application modernization and cloud adoption,” Epperson said. “For cloud native environments, a zero-trust architecture continuously runs cybersecurity checks at every stage of the software development life cycle. From a development and DevOps perspective, this results in safe and frictionless application development.”
- Infrastructure: Because the average organization runs 45 cybersecurity-related tools on its network, IT teams often have poor visibility and control over unmanaged resources such as IoT devices and supply chain infrastructure. “That means for everything infrastructure-related, including routers, switches, cloud and especially IoT, eliminating implicit trust is even more critical,” Epperson said.
Start With Solutions Already in Place
To move effectively toward a comprehensive zero-trust strategy, it’s helpful to take stock of existing resources and identify potential liabilities. “Do an audit of what you have in place today and optimize those products and solutions,” said Epperson.
Moving forward, you need a partner who takes a holistic perspective on zero trust. The vendor you choose should have a comprehensive portfolio with a broad ecosystem of security partners, and an unparalleled ability to make your zero trust journey a reality, he said.
To learn more, read the recent report titled “Making Zero Trust Actionable: Key Ways to Accelerate Your Journey.”
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.