How to Effectively Move to a Zero Trust Architecture
In this article
In May, the administration issued its Cyber Executive Order (EO), calling on agencies to shift from traditional perimeter security toward a Zero Trust architecture and to:
- Accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS);
- Centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks;
- Invest in technology and personnel to match modernization goals.
Last year, NIST published Zero Trust architecture guidance, and NSA issued its version in February. Within days of the EO this spring, DISA released Zero Trust architecture guidance, as well.
"Zero Trust is in the Zeitgeist," said Dan Prieto, Strategic Executive for Public Sector at Google Cloud. Prieto was the featured guest on the Aug. 5 episode of Public Sector Tech Talk E13: Moving to a Zero Trust Framework that I hosted.
Zero Trust seeks to bolster cybersecurity by orchestrating multiple layers of cyber defense, including hardware, software, the asset-management function, identity and provisioning, multi factor authentication, context-aware access (users and devices), validation of requests for application and data, encryption at rest and in transit, and end-to-end visibility.
"Zero Trust is more strategic and more integrative," Prieto said. "It is about security outcomes. A lot of prior guidance was more about compliance. And it says you can get to those outcomes by multiple paths."
Getting to Zero Trust
The question for agencies is how quickly they can get to Zero Trust. "You can leap ahead if your cloud strategy dovetails with your security strategy," Prieto said. "That can really accelerate things."
Yet the slow uptake of cloud technology—accounting for less than 10 percent of IT spending in the federal sector—is a potential roadblock. "It's shocking that cloud still feels innovative and new. We are still in the early innings of cloud adoption," Prieto said.
Other potential impediments to adoption include cultural resistance to change, an increasingly complex and fragmented IT environment, and growing volumes of data produced by mobile, social, and IoT technologies.
"The amount of telemetry you need to ingest and analyze has accelerated," said Prieto. "We're further and further behind the curve. The lack of visibility is going to get worse."
Agencies can get to Zero Trust before cyber criminals get to them by adopting robust solutions that are relatively easy to install.
"The only thing that can really bend the curve and get comprehensive end-to-end visibility is cloud-based analytics," Prieto said. Cloud enables agencies to collect diverse datasets in one place without having to manually integrate data "or feel like they're looking through a straw" when analyzing information, he said.
Zero Trust in action
Google began developing its Zero Trust framework a decade ago, prompted by an attack targeting Google's source code. Much like federal agencies today, Google sought to "make work and security easier for a rapidly growing workforce."
"We got rid of the network perimeter. We largely got rid of our VPNs," Prieto said. "We made security almost invisible for the user. All access to services and data is authenticated, authorized, encrypted and granted based on what we know about you and your device."
New York City Cyber Command, a Google client, jettisoned their SIM (security information management) and built an analytics stack on Google's data lake. Like most large organizations that can have "upwards of 150 cyber tools installed," the command is "ingesting and analyzing 30-plus billion log events per day," Pietro said.
To meet evolving cyber threats, agencies must rely on data because "you're never going to solve the security challenge by throwing more bodies at it or more compliance at it or more tools at it," he said.
That's truer now than ever. In the 10 years since Google began developing its Zero Trust architecture, threats from cyber attacks have grown in number and sophistication. Today, a decade-long initiative to build a proprietary Zero Trust solution probably wouldn't make sense.
"The cyber risk environment isn't going to give you 10 years," Prieto said. "We need to move faster."
As part of a Zero Trust effort, it's important to develop a comprehensive strategy and overarching view of an agency's cyber posture—including simple cyber hygiene—as well as incorporate capabilities to provide network and asset visibility to better understand risk levels. The movement to a Zero Trust architecture in the government space will take time, but the outcomes of that transition will be significant.
If you are interested in learning more, please access the on-demand version of our Public Sector Tech Talk E13: Moving to a Zero Trust Framework episode.