Although federal cybersecurity teams historically adopt new trends and technologies more cautiously than the private sector, Zero Trust is an exception. In just a few years, the idea of continuously interrogating users and devices to ensure proper controls has become one of the most talked about topics in cybersecurity.
This isn’t a light lift for even the smallest of companies. There’s no Zero Trust easy button — you must adopt a new security strategy, implement multiple technologies, and conduct in-depth assessments of your network and assets to get there (or even to get started).
The federal government’s push to Zero Trust will be more difficult. With the complexity of the networks and the sheer size of the organizations and agencies that have to implement a new framework, getting to Zero Trust is not and will not be an easy task.
Recently, the federal government has taken note of this and there has been an increase in fed-specific Zero Trust guidance. The almighty NIST published NIST SP 800-207 in August 2020. This introduces the Zero Trust concept, considerations, and steps that government agencies can take to get started. Since publishing, the government has seen a drastic increase in remote workers and government devices connecting to new networks, meaning a push toward Zero Trust is now more urgent than ever.
This makes sense as to why the National Security Agency (NSA) released a cybersecurity information document on “Embracing a Zero Trust Security Model” targeted more specifically at the Department of Defense, National Security organizations, and Defense Industrial Base (DIB) organizations. They are getting serious about the path forward and are trying to lay the groundwork to get government agencies aboard the Zero Trust train.
So what’s in the NSA’s Zero Trust guidance? Why is it important? Where do you start?
Let’s dive in.
What Zero Trust Means to the NSA
The NSA document reminds us what Zero Trust is and what it means to the NSA:
“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.”
Zero Trust isn’t just a new tool to add to the analyst’s toolbox. It’s a coordinated, strategic approach to understanding who and what's inside and outside your networks — and the threats associated. The backbone of the concept is to assume you’ve already been breached, and approach every situation with a “never trust, always verify” mindset — instead of the traditional “trust, but verify” approach.
Why Zero Trust is Important for Federal Cybersecurity
Whether you’re reviewing and closing out alerts in a SIEM, searching for indicators of compromise (IOCs) from a recent breach, or conducting incident response investigations, cybersecurity in the federal government has become incredibly reactive and tactical.
Zero Trust is a strategic framework to shift an organization’s approach to proactive security so there’s less chance of a cyberattack, and more time for teams to focus on the tactical response if something does get through the Zero Trust defense.
Unfortunately, implementing Zero Trust isn’t a quick fix or something you can just throw money at to make it work. It’ll take a long time and will have to be integrated across all security teams, tools, and processes to be truly effective. While a heavy lift up front, the impact of implementing Zero Trust gives network defenders more opportunities to identify threats, and more time to remediate incidents.
As the NSA document puts it:
“Tactical responses will likely still be necessary even in a Zero Trust environment, but with the appropriate security model, mindset, and response tools, defenders can begin to react effectively to increasingly sophisticated threats.”
Where to Start
One of the top challenges associated with implementing Zero Trust across the federal government is, “a lack of full support throughout the enterprise, possibly from leadership, administrators, or users. The mindset required for Zero Trust must be embraced fully for any solution to be successful”, according to the NSA document.
So where do you start? With your people.
Everyone in the organization should understand Zero Trust at a basic level and learning the NSA’s guiding principles behind it:
- Never trust, always verify
- Assume breach
- Verify explicitly
While these make me feel paranoid even just typing them, understanding and implementing the principles is how you start getting your organization to a security-first mindset. This will be a change for many and will mean additional (sometimes annoying) measures like multi-factor authentication, continuous monitoring, and identity verification will be implemented.
However, in the DoD and intelligence community, a Zero Trust mindset isn’t necessarily new. It’s not always called “Zero Trust”, or thought of in conjunction with cybersecurity. Having been an analyst in the intelligence community, similar concepts as “Never trust, always verify”, and “Assume breach” were ingrained in our psyche for day-to-day physical and personal security.
For example, in a government agency, you’d never hold the door open to the sensitive compartmented information facility (SCIF) and let a stranger with no identification waltz in. Likewise, you wouldn’t share highly sensitive or classified information with someone without first verifying they had the correct clearance levels or “need to know”.
Since federal employees (especially those in the DoD and intelligence community) already take a security-first approach in their daily lives, it shouldn’t be too hard to understand in their virtual lives.
Before buying technology or even assessing the networks for threats to implement Zero Trust, the whole organization needs to be on the same page about what Zero Trust is, the guiding principles, and how it all maps to federal cybersecurity.