It’s difficult to have a serious cybersecurity discussion today without the conversation eventually ending up at Zero Trust. This is especially true in the federal government where agencies have been mandated to begin implementation of a Zero Trust security strategy in just a few months. The recommended Zero Trust strategy would enable federal security teams to better understand their adversaries, identify where federal infrastructure was vulnerable and work within a standardized, coordinated response process.
On the surface, implementation seems to be going well. Okta reports that 72% of government organizations are already pursuing Zero Trust initiatives, and there’s optimism that compliance of the mandate will approach 100% before the deadline. However, despite this progress, vendor hype and fast-approaching mandates are leading to Zero Trust fatigue among federal agency IT organizations. Many security professionals in the federal government are arguing that Zero Trust has become little more than a buzzword while eliciting a collective eye roll when mentioned in meetings.
Zero Trust hype has its consequences. Gartner estimates that more than half of organizations that implement Zero Trust strategies by 2025 will ultimately fail to realize the benefits.
Zero Trust fatigue is dangerous–for you, for your users, for the agencies and for the general public. In addition to being mandated on the federal level, Zero Trust is the optimal security strategy for combating today’s Highly Evasive Adaptive Threats (HEAT). Often delivered through the browser, HEAT attacks are designed to evade legacy security solutions to give malicious actors initial access to the victim’s network.
A Zero Trust approach to cybersecurity protects federal agencies from HEAT attacks by assuming that no content on the Internet is safe. All entities–a user, application, server, etc.–that want to connect to the network need to always and continually be authenticated. This is critical for a federal workforce that is still largely hybrid and conducts much of its business through a browser. A failure to adopt Zero Trust principles puts federal agencies at risk of these HEAT attacks.
Here are five ways federal agencies can move past the fatigue, work through the hype and achieve their Zero Trust initiatives with greater success:
Zero Trust is more than a checkbox. It’s more than a technology solution. It’s a complete rethink of how you protect your users, applications and data. Rather than focusing exclusively on detecting and responding to threats, Zero Trust is a proactive strategy for preventing threats from occurring in the first place. Layering protection on top of detection (see below) requires thinking differently about your role in keeping users, applications and data safe from malicious threats.
This realignment of security strategy is the optimal time to orient your Zero Trust strategy to your agency’s mission and overall security objectives. While there’s a clear mandate from the top, ultimately the success of any Zero Trust project will be defined by each individual agency. Goals and progress toward those goals will vary between agencies. To start making progress, you’ll need to gather feedback from critical stakeholders throughout the agency–IT, operations and the board–to determine how cybersecurity ties into every other element of your overall mission–whether it’s to protect citizens, advance research or provide government services. Then you can start to bake security policy into existing workflows and processes to better protect these assets without inhibiting productivity.
Zero Trust is here to stay, so make sure you are making a long-term investment of time, money, brainpower and resources when implementing these new initiatives. More than just a mandate, Zero Trust is a new architecture for keeping users, applications and data safe from malicious threats–however they evolve in the future. Take the time to think through these important decisions and ensure your security is future-proof and scalable by embracing cloud-native technologies with a global elastic scale. It’s important to note that there is no additional budget allocated specifically for Zero Trust projects, so agencies will need to reallocate existing budgets to fit this new long-term strategy.
Zero Trust implementation doesn’t mean you have to rip out legacy infrastructure and start from scratch. Zero Trust technologies such as Internet isolation can be layered on top of the existing security stack–augmenting current technologies and strategies. Taking a two-pronged approach that prevents initial access and monitors for abnormal activity makes sure all your bases are covered and saves you the effort and disruption from having to rip and replace your existing solutions. Seamlessly layering isolation on top of detection makes sure you are protected while you overhaul your architecture to meet Zero Trust principles.
It’s important to remember that we’re part of a larger team that spans the entire federal government, and we’re all working through the same challenges and mandates. Reach out to colleagues to see if you can glean any advice or best practices from people who may be further along the Zero Trust maturity model. Find like-minded practitioners at conferences, user communities and social networks to find what works, what doesn’t work and how you can ease Zero Trust implementation and compliance.
The hype surrounding Zero Trust and the push to meet approaching deadlines is turning the cybersecurity strategy into a buzzword. It’s a shame, because Zero Trust is actually a tried-and-true cybersecurity strategy ideally suited to protect federal agencies from today’s HEAT attacks. Cybersecurity professionals in the federal government need to combat fatigue, work through the hype and achieve their Zero Trust initiatives with greater success.