Zero-Trust Adoption Across Government

At federal agencies, the COVID-19 pandemic and the shift to remote work in conjunction with Executive Order (EO) 14028 in 2021 accelerated the adoption of zero-trust principles, emphasizing the need for secure and efficient operations outside traditional office environments. Although the zero-trust security paradigm had been discussed and partially implemented in organizations before 2021, the EO was the catalyst for agencies to take systematic action.

While the government had been aware of the various risks to the integrity of the software supply chain for many years, the massive SolarWinds compromise in late 2020 was a wake-up call. A Remote Access Trojan attributed to a nation-state advanced persistent threat actor infected source code in a popular IT management product and compromised 18,000 networks in both the federal government and private sector companies, including critical infrastructure providers. At many agencies, people started looking at zero-trust architectural philosophies more seriously, realizing that the traditional "castle and moat" approach of keeping malicious actors out and implicitly trusting everyone inside the network perimeter was a fallacy.

With zero-trust security, trust must be established each time there's a connection and ideally revalidated as new applications are opened and even as new types of activity are undertaken. Zero trust is based on identity and access management. Trust can't be assumed just because a person, device, or connection is located inside the network. This concept is coupled with least privilege access, which is a cyber equivalent of the "need to know" principle that the national security has operated under for many years. For example, if a user or device only needs to read data to accomplish the task at hand, don't bestow the authorization to write to a file or to delete it.

Remote Work Becomes a Reality

Additionally, in 2021, organizations everywhere had to cope with the onset of COVID and the massive and sudden shift to remote work, which served as the death knell for wired perimeter-based operations as the normal operating posture at many organizations in government and the private sector. At many agencies, people who worked and connected remotely from home used VPN-based security, which introduced new risks for agencies since cybersecurity in the home office IT environment is seldom enterprise grade.

Remote users connected through VPN tunnels, and many agencies lacked the capability to inspect network traffic, transiting these encrypted tunnels in real time with the result that malicious activity could reach agencies undetected. In the 12 months following the transition to remote work, FortiGuard Labs reported a 10x increase in ransomware infections of organizations. And many of these infections reached organizations' networks through users' home office endpoints over VPN connections. When organizations lacked strong identity and access controls and had relatively flat networks, any bad actor that got inside the network could go virtually anywhere. These new risks led organizations to look at stronger identity and access management solutions and microsegmentation.

Remote work also posed challenges for network architectures and for application performance. Some agencies required that remote users' access to cloud-based applications be routed back through the agency's data center rather than a nearby cloud point of presence. This latency increased cost and degraded user experience, introducing performance problems to latency-sensitive applications such as online-meeting software.

Even though users could get their work done, the situation was not ideal. Over time, it became clear that users needed an environment that worked seamlessly so they could work successfully and share data safely and securely with partners no matter where they were located. The combination of zero trust with IT technologies such as software-defined networking (SD-WAN) and cloud services makes it possible for users, devices, compute resources, and data to seamlessly connect regardless of where any of those four elements may be located.

The combination of a nation-state threat like SolarWinds and the realization that remote and hybrid work are here to stay changed the federal government's approach to cybersecurity. EO 14028 was, in part, a reaction to those changes and served as a catalyst to prioritize and begin implementing new cybersecurity and technology modernization projects.

The Power of Partnership

After I retired from government, I used to have spirited and almost theological debates with former peers in government who said that zero trust could not be done at scale or not for their particular use case. But one of the things I learned when I left government and went to work in the private sector was that technology companies already had solutions that effectively addressed most of the elements of zero trust and that some companies had effectively implemented zero-trust approaches across complex global operations. When EO 14028 came out, and the government suddenly went all-in on zero trust, people at many agencies paid a lot more attention to these commercial solutions as building blocks for implementing a zero-trust architecture within government.

The good news is that implementing better security, especially with regard to zero trust, is a partnership. Government does a good job of creating conceptual frameworks and vendor-agnostic technical reference architecture and strategies, many of which gain traction within the private sector as well as government. However, implementing zero trust even within government agencies is almost exclusively done using commercial off-the-shelf products.

More good news is that many midsized companies and virtually all large corporations are implementing zero trust, so agencies don't have to reinvent the wheel. Because they can leverage the power and diversity of solutions being developed for the private sector market, agencies are likely to find solutions that fit their price point, mission needs, and technology stack.

Unfortunately, the news isn't all good. Many organizations struggle with technology integration across vendors, which underscores the need for broader industrywide collaboration. Although many vendors are adding security capabilities, the solutions are often siloed, particularly regarding the policy enforcement points crucial to implementing zero trust at speed and at scale. Dealing with multiple "walled gardens" of capability that can't share data or commands impedes further and faster progress in implementing zero trust.

It's important to realize that implementing zero trust doesn't happen in isolation. There is nontechnical work to be done, starting with getting leadership buy-in, including finding an active executive champion and educating the workforce. The label zero trust also can be off-putting with Orwellian connotations to non-cyber audiences. Helping the average user understand how zero trust can help them become more productive and even provide a safety net against the consequences of an innocent mistake are important first steps.

When it comes to technical implementation, an agency's starting point should be determined by its technology roadmap. Working on identity and agency management is a good first step, but if you're already refreshing a different part of your technology infrastructure that happens to align with some other aspect of zero trust, such as policy enforcement, that should be your starting point instead. While the destination for zero-trust implementation is the same for all, each agency will proceed at a different pace and along a different path to get there.

Learn more about how Fortinet ZTNA improves secure access to applications anywhere for remote users.

Public link

Please use the above public link if you want to share this noodl on another website.