Simplifying the Path to Zero Trust for Public Sector Security
In this article
Zero Trust is a common technology buzzword that is often referenced in conversations about security, yet it also can have a variety of meanings based on individual interpretations.
We define Zero Trust as a security framework that enacts the principle of least privilege (PoLP), under which users' identities are dynamically verified before receiving the minimum access necessary to do their job, assessing the risk of each transaction. A Zero Trust environment with strict PoLP improves an organization's ability to resist sophisticated attacks whether they originate within or outside the network.
For IT organizations in the public sector, there's never been a more critical moment for them to adopt a Zero Trust posture: security breaches are relentlessly on the rise, bad actors are getting smarter and more sophisticated, and organizations — especially government entities that are entrusted with highly privileged personal information — must step up to address these security concerns. At the same time, many of these same organizations are slow or hesitant to implement Zero Trust policies and protections, as they perceive them to require too much time, money and resources to implement — it's just too complex, they lament.
In fact, despite the many moving parts required for achieving successful Zero Trust, the reality is: it doesn't have to be complex — especially when guided by WWT's approach that eases the path to implementation. More importantly, it's especially critical for government IT organizations to implement Zero Trust now (and do it well) given a host of global crises, changing public needs and ever more sophisticated attempts at theft, fraud and abuse.
Many federal agency networks have the security disadvantage of being "flat" which exposes them to serious vulnerabilities — that is, traditional data center operations relying on traditional firewall architecture to stand between attackers and assets. Although they might have a hard perimeter of protection around their enterprise, once a firewall has been breached, crafty interlopers can gain access to a wide range of assets as they move laterally throughout the system. At the same time, agencies that migrate to a public or hybrid cloud infrastructure can also be vulnerable to new threats as they lose visibility, control and integrity of sensitive data.
Further complicating today's public sector security challenges, government workplaces were not immune to the impact of the coronavirus pandemic on employees, many of whom repurposed home networks to create a massive ad hoc remote workforce. With their workforce scattered, public sector agencies cannot rely on mere perimeter security anymore. Now the need extends beyond securing the onsite network to mobile individuals, regardless of where they are located. In addition, it's a global economy and government agencies must interact with individuals and institutions the world over, each with its own data networks, local policies, red tape and other security challenges.
Despite all of these complexities, maintaining a Zero Trust posture is critical to ensuring maximum security in the public sector.
Public sector IT organizations are required to comply with multiple sets of security standards:
- The National Institute of Standards and Technology (NIST), is the non-regulatory government agency that develops technology, metrics and standards for U.S.-based organizations in the science and technology industries.
- The Trusted Internet Connections (TIC) 3.0 initiative drives security standards and leverages advances in technology to secure a wide spectrum of agency network architectures. TIC 3.0 is a great starting point for Zero Trust in the civilian space.
Because Zero Trust is not solved for by one single vendor, it is important for agencies to understand where they are in their maturity model. WWT has extensive background in providing assessments and roadmaps to get to a mature model and ways to operationalize it. Following these standards, WWT works with best-of-breed and approved technology products to help architect solutions that are tailored for each agency's existing enterprise to solve for each layer of Zero Trust.
Intel plays a pivotal role in our Zero Trust implementation strategy through its Intel® Software Guard Extensions (Intel® SGX) technology, which imposes an additional defense layer to minimize potential attack surfaces.
Would-be attackers usually follow the path of least resistance, which typically involves exploiting software vulnerabilities. Intel SGX provides a uniquely granular level of protection in which memory encryption based in hardware can isolate application code and data in memory. This enables the allocation of private "enclaves" — memory regions that can be safeguarded from processes running at higher privilege levels. By circumventing the operating system or virtual machine software layers, Intel SGX helps resist many such attacks, answering the public sector's need for secure computing.
These capabilities, combined with the smallest available attack surface, are why WWT regards Intel SGX as its preferred hardware-based data center trusted execution environment (TEE).
At WWT, we regard Zero Trust as the layering of security protocols redundantly throughout the organization — individual PC firewalls, access to the network, to the data center, cloud, software applications, data repositories and more — all tied into specific permissions with individual access levels and verifications, constantly monitored and updated, effectively elevating security to the next level.
To help customers truly understand Zero Trust — what it means and how it applies to them — WWT often starts with a Zero Trust Briefing for key stakeholders to connect the importance of a secure environment to their long term-vision and strategy. Through training workshops, demos and sandboxes, we build our customer's understanding of the state of the security market, who the major players are and the value they bring, and how offerings integrate into the agency structure to establish a Zero Trust posture.
While we follow a thorough, well-defined process, WWT is also flexible in modifying that approach to meet the unique needs and challenges of each public sector entity. Our proven four-step process includes:
- Evaluate: Assessing the architecture and current security posture to determine how to derive the biggest impact — pinpointing vulnerabilities and optimizing return on investment.
- Design: Establishing a detailed roadmap and timeline for a successful "Crawl Walk Run" approach that secures all exposure points.
- Implement: Untangling the web of complexity with a plan that creates discrete, easily attainable tasks and enables agile workflows with a shorter implementation phase.
- Operate: Continual optimization is key to implementing Zero Trust. WWT helps operationalize, automate, monitor and manage your security solution to keep it at peak efficiency.
Briefings and illustrations are only the first step — it's in WWT's Advanced Technology Center (ATC) where our Zero Trust solution comes to life for customers. In the ATC, they can evaluate its effectiveness for themselves, observe how it integrates with other technologies and see how it enables them to achieve Zero Trust in their public sector environment.
Zero Trust is more than a buzzword, it's an important and essential security posture in the modern age. And nowhere is it more critical to the stability of our world than in the public sector. It needn't be complex, but it must be implemented correctly — and soon.
From idea to outcome, WWT has the technology resources and experienced approach to implement a Zero Trust solution with speed, simplicity and cost-effectiveness. For a closer look at Zero Trust solutions from WWT, request a Zero Trust Briefing or contact us to learn more.