Zero trust is a new buzzword, but not a new concept. Depending on what you read, a Forrester researcher coined the term in 2010 or it first came about at the Jericho Forum security consortium a few years before that. Either way, it’s crucial today, although the model isn’t always easy to implement.
“Lately, the changing threat landscape is making this model more critical to safeguard digital assets,” said Rosa Akhtarkhavari, former CIO for Orlando, Florida, who was appointed Deputy Chief Financial Officer in October 2021. “Does it live up to the hype? Is it important? Yes. Can we implement control to where we can feel fully secure? The reality for the city of Orlando and many of the midsize organizations or governments, is it is costly, it is resource-intensive and it is operationally impacting.”
The basic tenets, such as identifying entry points, whether it’s a person interacting with a device or the Internet of Things, and securing them, are doable, as are MFA and authorization, she said.
“But as we start looking at the application and keeping up with the changes to the port level and/or to some of the patterns and actions that continue to change as the workforce continues to change, this is where it becomes too costly and resource-intensive to manage and manage properly without impacting our operation,” Akhtarkhavari said.
Some of the elements Orlando has adopted include least-privilege access and monitoring, but exactly how the city uses it at the network and application levels changes based on risk tolerance and assets’ criticality. “Adding additional control and practices that align with zero trust adds a mitigation layer to the ever-evolving and increasing threats,” Akhtarkhavari said.
With cyber threats and security, the work is never done. Right now, Akhtarkhavari is keeping her eye on emerging threats, including how to handle zero-day vulnerabilities, which are unknown security flaws.
“I would say this is a journey,” she said of zero trust. “We started that journey many years back and we continue to build on it to balance operation with security and continue to function.”
Best Practices for Aligning With Zero-Trust Security
Akhtarkhavari has straightforward ways to make zero trust happen:
- Don’t trust.
- Know your assets.
- Provide least-privilege access for employees to be able to do their job and nothing more.
- Know who’s accessing your system, whether it’s a device or a person.
- Continually raise awareness.
- Continuously monitor risks and know your trends and your activities.
- Assume there is a breach every time there is an alert, and act on that.
This article is an excerpt from GovLoop’s guide titled “Why Zero Trust Matters at Work and How to Foster It,” available here.