Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection


By Petko Stoyanov, Global Chief Technology Officer, Forcepoint

Many Federal agencies are considering investing in zero trust network access (ZTNA) solutions. But not all ZTNA applications are equal, and it’s important agencies invest in ZTNA solutions that will allow them to align and meet the “Optimal” stage outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model guidelines.

In CISA’s view, Optimal protection includes continuous validation and inline data protection. Traditional ZTNA architectures do none of these; rather, traditional ZTNA provides encrypted tunnels, just like Virtual Private Networks (VPNs) but on an application-specific level. They do not incorporate essential elements like machine learning (ML), data-centric encryption, or real-time risk analysis, which significantly elevate agencies’ protection levels based on what they transfer.

To achieve Optimal status, agencies need more than just a renamed VPN. Just as they modernize their cybersecurity approaches, they must modernize their zero trust programs to be more dynamic, intelligent, and responsive with identity and data monitoring across all pillars.

To illustrate, let’s look at three of the five pillars of the CISA Maturity Model: Identity, Device, and Data.

Ultimately, zero trust is about enabling and controlling access from an individual to the data, continuously. The device, the network and application are the middleware enabling user to data access.


Everything starts with an identity, the “who” of the equation. We need to identify who we are before we enter a building or a computer or phone.  Agencies need to have a centralized identity solution that validates users’ credentials against a central identity directory – across both on-premises and cloud environments.

Optimal identity validation can only be achieved with ML built into the zero trust architecture. ML enables real-time analysis of the user or system attempting to access an application. It collects various bits of information – when’s the last time this person signed on, how often do they use the application, where are they signing on from, etc. – and progressively learns about users’ security postures. It continuously validates those postures to determine if a person poses a risk the minute they attempt to sign on.

Agencies with Optimal identity validation are continuously evaluating the identity across the full lifecycle of creation, permission management, and retirement.

Agencies should ask the following questions when evaluating their identity validation capabilities:

  • Do my users have a single identity across on-premises and cloud?
  • Do I continuously monitor to ensure users have the right access and not too much?
  • Do I have the ability to identify individuals that are demonstrating abnormal behavior?


Agencies cannot just monitor the “who,” they must also consider the “what” – meaning, what device is being used to access data. They must be able to trust the devices that employees are using, particularly as employees continue to work remotely, and complement the use of agency-issued devices with their own personal tools.

This reality requires an advanced zero trust architecture that constantly monitors the devices that are touching the network for potential threats. The architecture must be able to immediately discern if the devices are authorized for network access, up to date on the latest virus protection operating system software, and are as security-hardened as possible. If not, the architecture must be nimble enough to block access in the moment, before the unsecured or unsanctioned device has a chance to exfiltrate data.

Agencies should ask the following questions when evaluating their device capabilities:

  • Do I check for device posture on initial connection to the agency application/data? Device Posture includes hardware details, OS level, patch level, running application, harden configuration, and the location.
  • Can I identify all identities used on a single device?
  • Can I detect a device posture change after connection to an agency application?


CISA states that for an agency to achieve Optimal ZTNA levels, it’s not enough to just store data in encrypted clouds or remote environments. The data itself must be encrypted and protected.

Furthermore, agencies must be able to inventory data, analyze it, and categorize it based on certain characteristics – continuously and automatically. Some data might be highly confidential, for example, and should only be accessible to certain members of an organization. The ZTNA must be intelligent enough to learn and process changes to data classification. It must also be able to rapidly identify not only who is accessing the data, but the type of data that person is accessing – and then match the two.

Agencies should ask the following questions when evaluating their data capabilities:

  • Can I continuously discover the on-premises and cloud environments storing my data and create an inventory?
  • Do I know the category and classification of the discovered data?
  • How do I control access to the data?
  • Do I encrypt the data with my environment and when it leaves my control?

The CISA Zero Trust Maturity Model indirectly acknowledges that networks have gotten smaller and more fragmented. As network perimeters become blurrier, organizations must focus their firewalls on specific users, devices, and data points. Traditional ZTNA architectures barely evolved from VPNs won’t be enough. Agencies need a more modern ZTNA model, replete with machine learning, to achieve Optimal protection.