Zero trust requires both the right approach and the right technology
According to Gerald, the challenge many federal agencies face is knowing how to get started.
“I think a lot of people get mired in the technology, and don’t think as much about the strategic aspect of things,” said Gerald. “Before you start deploying all these new tools, it’s important to think about what you want them to do and how you see them contributing to your overall zero-trust strategy.”
Gerald also emphasized the importance of beginning with a “big picture” strategy, and then working down to the specific tools and technologies that enable that strategy. A starting point for this strategy might include the Zero Trust Reference and Maturity Models released by the Department of Defense (DoD), National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) for their federal stakeholders, which all have these five foundational pillars in common:
Instead of trying to address these pillars in isolation, agencies must work through them as equal parts of a comprehensive zero-trust architecture. This means considering how to integrate the pillars into a zero-trust strategy before spending time worrying about what technology or tools are needed to do that.
Spotlighting DoD best practices for developing an effective zero-trust strategy
For an example of a holistic zero-trust strategy, we don’t need to look further than the highly anticipated one published by the DoD in November 2022.
In this strategy document, the DoD outlined four high-level goals for a department-wide zero-trust cybersecurity framework:
- Zero-trust cultural adoption: The DoD must develop a framework and mindset that guides the design, development, integration and deployment of IT assets in a zero-trust architecture.
- Information systems secured and defended: DoD cybersecurity practices must incorporate zero-trust principles to achieve resilience in information systems.
- Technology acceleration: The DoD must deploy zero-trust technologies quickly to remain ahead of the changing threat environment.
- Zero-trust enablement: The DoD must integrate its zero-trust framework alongside existing processes in a seamless, coordinated manner.
Furthermore, the DoD outlined 152 specific activities it needs to implement in order to reach “targeted” and “advanced” zero trust. These activities map across the different zero-trust pillars and stretch from basic capabilities—like creating user and application inventories—to advanced capabilities that incorporate AI and automation.
Although the strategy is aligned to the unique mission requirements of the DoD, Gerald pointed out that all federal agencies may find the activities listed helpful to include in their own zero-trust strategies. That being said, he also stated that some agencies fall into the trap of making their zero-trust strategy more complicated than it needs to be. At the end of the day, zero trust can be defined using a few simple principles that haven’t changed all that much since Forrester Research proposed the concept in 2009:
- All entities are untrusted by default.
- Least privileged access is enforced.
- Comprehensive security monitoring is implemented.
If your strategy meets these basic requirements, then you’re on the right path. A detailed strategy with a long list of forward-looking capabilities may be appropriate for some agencies, but it’s not required to capture the “low-hanging fruit” of basic zero-trust principles.
Extending zero-trust beyond the fault line
The growing importance of digital ecosystems can make zero trust more difficult for federal agencies. It’s one thing for an agency to apply zero-trust principles within their IT infrastructure, but now they need to extend those capabilities “beyond the fault line,” to anywhere they interconnect with ecosystem partners. This includes locations both within the U.S. and overseas. A global reach is essential to enable inter-agency collaboration, which Gerald named as one of the most overlooked zero-trust use cases.
Agencies that fail to implement zero trust in a careful, strategic manner could end up putting up more siloes than they’re breaking down when it comes to inter-agency collaboration. There must be universally accepted data-use agreements in place to support collaborative functions like those used in healthcare, law enforcement, national defense, and other areas of government. This requires a delicate balance between openness and vigilance.
In addition, federal agencies are increasingly recognizing the need to leverage a hybrid multicloud architecture that’s more complex than previous iterations. The federal shift to multicloud was exemplified on December 7, 2022, with the announcement of the DoD’s long-awaited Joint Warfighting Cloud Capability (JWCC) contracts with AWS, Google, Microsoft and Oracle. DoD stakeholders have stated that as part of the JWCC initiative, they were looking for partners capable of offering secure cloud services to accelerate zero-trust adoption. Doubling down on this, the National Defense Authorization Act (NDAA) for FY 2023 includes a requirement to test and evaluate the cybersecurity capabilities of commercial cloud service providers to increase transparency.