Implementing an effective zero trust architecture within an agency’s security framework has become pivotal to achieving cyber resiliency within the Federal government. But to be successful in the implementation of a zero trust architecture there are several elements agencies must keep in mind, according to several cyber experts.
The National Institute of Standards and Technology (NIST) defines zero trust architecture as a “collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
However, the problem that some Federal agencies are facing –particularly larger Federal agencies – is the inability to accurately identify who has access to their networks and data, creating vulnerabilities that put their entire enterprise at risk. According to Wayne Lloyd, the Federal chief technology officer and vice president of U.S. Sales Engineering at RedSeal, automation is the solution.
According to NIST, the foundation of a zero trust architecture is a usable inventory of movement and access within a network. Without that inventory, it becomes more challenging for Federal agencies to be resilient in cyber. Automation helps Federal agencies build that foundation.
“For success in zero trust, you need to build automation into those efforts,” Lloyd said during MeriTalk’s Cyber Central event on May 19 in D.C.
“It becomes almost impossible for agencies to monitor or keep track of the data on their networks and the real-time traffic in their network. To have that automation in place, to continuously monitor the status of your network and get it as close to near real-time as possible, sets you up for success,” he added.
Brian Hajost, the founder and chief operating officer at SteelCloud, highlighted another key element to the success of a zero trust architecture; a paradigm shift in the way the Federal workforce thinks about security and access.
Historically, security in the Federal space meant protecting the physical home base, but with the rapid shift to remote work and now the adoption of cloud environments that home base has expanded. And, according to Hajost, this requires agencies to retrain their workforce around zero trust principles.
“Everyone in your workforce needs to have a clear understanding of your agency’s zero trust principles because cyber is not just an IT team task anymore,” Hajost said.
However, the implementation of a zero trust architecture for some agencies requires retiring legacy systems and modernizing their technology, which is expensive. And often agencies “face funding or budgetary constraints when attempting to comply with these new cyber mandates,” said Phil Fuster, the vice president of Federal Sales at Proofpoint.
Fuster explained that there has been an ongoing trend in the Federal government of agencies modernizing their systems, and agencies need to prioritize cyber and zero trust in their budget.