Having allocated an estimated $18.78 billion for cybersecurity spending in 2021, eliminating breaches and tightening security is a high-investment priority for the government today. Those dollars are going to new places, and agencies must adapt to a new paradigm where perimeter-based security and traditional firewall approaches no longer suffice. But agencies also face a dual challenge: to protect government data amid budget constraints, and to serve their mission with greater velocity.
To make the most of their resources, organizations should focus on being resilient – how they can manage risk and continue to go forward knowing that risks still will exist. This focus has led to an increased need for zero trust solutions, following the realization that the traditional security approach is no longer working for agencies.
“Breaches are still occurring at an accelerated rate, attackers are getting smarter, more sophisticated, and better funded,” said Justin Wilkins, Director of Engineering for the U.S. Public Sector at Varonis. “A zero trust solution is so effective because it assumes breaches, and implements the required segmentation and controls inside of the firewall.”
Zero trust helps gain real-time visibility across all the relevant entities – users, workloads, networks and devices – and uses analytics to continuously assess organizations’ security standing and determine their worthiness to connect – and remain connected – to a given enterprise resource.
The additional monitoring and visibility required in a zero trust architecture also provides security analysts and SOC teams with more detail and context into user activity, ultimately making them better at threat hunting and identifying malicious actors.
The possible impact of government adopting zero trust enterprise-wide is extremely positive.
“There would be a significant decrease in the mean time to detection and mean time to remediation,” Wilkins said. “Breaches would be detected far earlier in the process and far earlier in the kill chain and adversaries would have access to far less data and far fewer devices.”
Wilkins shared details on building a zero trust architecture, and identified four key pillars of zero trust for agencies to focus on:
- Zero Trust Data. Data needs to be prioritized, Wilkins said. Agencies need to shrink the perimeter on the data itself, monitor it, and understand who has access.
- Zero Trust Networks. Agencies should implement segmentation, to isolate the connections between devices and make it difficult for hackers to move laterally and access resources.
- Zero Trust Users. It is essential to identify any privileged accounts on the network and then closely monitoring their activity.
- Zero Trust Workloads. Finally, agencies must implement zero trust controls across the entire development stack – from front-end web servers to backend database storage.
The pillars are connected and reinforced by analytics and automation, leading all activity on users, devices and data to be closely monitored. Analytics are put in place to identify privilege abuse or other types of suspicious behaviors.
Zero Trust Shapes the Future of Federal Cybersecurity
Zero trust is often the right choice for Federal workloads, and adoption is accelerating. During a recent MeriTalk webinar, Acting Defense Department (DoD) CIO John Sherman said the COVID-19 pandemic and subsequent push for telework has created an opportunity to expand DoD cybersecurity protocols.
“I really want to use this opportunity to move toward zero trust” security concepts – which rely more heavily on constant testing of user authentications and privileges, Sherman said.
Sherman is working with the Defense Information Systems Agency, the National Security Agency, and Cyber Command on the particulars. “We have the pieces to make this work [including] robust endpoint, middlepoint, [and] comply-to-connect,” he said.
Sherman has pledged for the DoD to be a leader for Federal colleagues in showing the way to zero trust implementation, and many Federal and military organizations are following suit.
In April, Tony Plater, the acting chief information security officer at the U.S. Department of the Navy (DoN), discussed why the switch to zero trust is vital, along with how the Navy has benefitted from the change.
“Zero trust offers a fundamental or paradigm change to security and data sharing across DoN networks. We now operate from a perspective that the network has been breached or will be breached at some point,” Plater said. “From a security perspective, zero trust architecture will better enable the DoN to track and block external attackers, while limiting security breaches from internal human error.”
Alma Cole, chief information security officer at U.S. Customs and Border Protection, said the old Federal security model was “a huge challenge” when it came to besting adversaries.
Cole said his agency is still in the “basic” stages of implementing zero trust, but believes it’s better to take a slower approach and ensure every zero trust policy is in place from the start.
Zero trust completely changes the cybersecurity paradigm and requires rethinking the overall security stack, Wilkins noted. As agencies revise and restructure their cybersecurity architecture, zero trust principles enable them to increase the difficulty for adversaries working to affect data and systems. Agencies can reduce time to detection and ultimately limit the amount of damage done.
Zero trust also allows agencies to effectively shrink the perimeter from the traditional network boundary down to the data, users, and devices – reducing breaches caused from human error or a lack of monitoring.
“With the current threat landscape, zero trust principles are an absolute requirement for protecting our data,” Wilkins said.