Hybrid cloud, multicloud and mobile environments create new opportunities for efficiency and new cybersecurity challenges for federal agencies. These include increased attack surfaces, a poor user experience and unreliable visibility and control over who is accessing sensitive applications and data.
How can agencies connect users to needed resources, regardless of their location or device type, without publicly exposing those private applications to threats?
The Remote Access VPN Challenge
Traditional remote access VPNs provide access to on-premises environments, but as applications move to the cloud, VPNs begin to introduce additional challenges in security and management. The complexity, maintenance and architecture for VPN technologies result in latency and poor user experience. In addition, these solutions beget attack surface exposure due to the inherent inbound listening of VPN concentrators that connect remote users to the networks. They also raise the potential for lateral movement of users or malware, as users may gain access to applications running in network segments that administrators had not intended for them to reach.
What’s the solution? To gain more granular visibility and access control, reduce the attack surface, and provide a seamless user experience, agencies are implementing a zero-trust model.
Why Should Feds Explore Zero Trust?
Zero trust ensures that access is secure. The initial assumption is that an organization does not inherently trust any user; access solutions must first verify and authorize users before granting access.
Users can then connect to applications, regardless of location, based on granular policies defined by IT admins. This connectivity approach creates a better user experience for remote agency users while maintaining full security and visibility into user activity across hybrid and multicloud environments.
The private sector has been successfully deploying security solutions based on this zero-trust model across a variety of use cases for several years now. By decoupling application access from network access, enterprises have strengthened their security posture, provided a seamless user experience and improved visibility for administrators. But federal agencies have additional considerations when adopting zero trust, requiring an approach that is certified by the Federal Risk and Authorization Management Program (FedRAMP), delivers TIC 3.0 functionality, and is specific to their mission goals. There is no one-size-fits-all solution.
How to Get Started with Zero-Trust Security
Before implementing what Gartner calls zero-trust network access (ZTNA) solutions, agencies should assess what elements of zero trust are already in place in their security architectures. They should first consider their identity and access management (IAM) implementations and maturity to assess what roles are already defined. Are these functions ready to help drive users to required resources?
Another consideration is the current level of visibility into user activity — the greater the understanding of data and user access now, the easier it will be to develop granular future policies that can adapt over time and give agency employees the right access to perform their job functions.
Next, agencies need to consider whether security policies are technology-focused or goal-focused. A good security policy should be goal-oriented to ensure that, regardless of device or location, all authorized users who need access can access agency resources through a secure, encrypted, inside-out connection.
Zero trust is a starting point on the path to the larger goal of establishing trust. Once agencies have trust in users (and potentially their devices), administrators can connect users to authorized applications based on the context in which they are accessing them (device, location, etc.). Many agencies will find they already have some building blocks for zero trust in their environment. For instance, they may already have endpoint management, Continuous Diagnostics and Mitigation, application and data categorization, network segmentation, and cloud monitoring in place.
Customize Different Components of Zero Trust
Zero-trust implementations will be unique, based on mission goals and IT environments. However, there are three main components all zero-trust models should include: visibility, granular security and scale.
Security teams can’t protect what they can’t see. Therefore, the first step is visibility. The key is to understand the importance of specific applications and associated data within an agency’s mission. Having a good relationship with mission and data stakeholders can help security administrators identify previously unknown high-value apps and determine who is accessing them to better inform security decisions.
One approach is to begin with a hybrid model in which granular controls are applied for known sensitive applications along with an open connectivity approach that allows observation of what users are doing today. This will provide visibility into how users interact with the environment and who is accessing what applications, without disrupting work.
From there, each agency can continue to refine its policies over time, ratcheting up the granularity as needed. Agencies can categorize different use cases, from broad to specific, to gain insight into data usage, track users’ access and improve the overall security posture.
Finally, each agency’s solution should have scalability. Across an agency, there are many coordinating functions, from authentication and authorization to application and data classification, and to access and visibility. This is why Gartner recommends the adoption of ZTNA solutions that can be deployed as a service. Agencies looking to adopt zero trust should identify their most significant pain point and define a use case that addresses that issue. Then, they can implement multiple use cases for a solution that spans multiple scenarios and user communities.
Agencies Should Run a Zero-Trust Pilot
Traditional appliance-based security technology is often too rigid to address today’s various requirements without resulting in challenges associated with overly complex deployments. Cloud-based zero-trust solutions provide agencies with the flexibility needed for a consistent approach across a diverse environment, but these technologies are less widely understood. Here again, there is no one-size-fits-all solution.
Before investing in a particular approach for zero trust, agencies should run a pilot program. Choose a set of apps and users to begin with (such as web apps and third-party users). This will provide insight into the likelihood of success and create a level of comfort for the owners of the solution. If successful, agencies can demonstrate the potential benefits of a zero-trust solution — and ensure it will deliver the desired functionalities while complying with agency regulatory requirements. Running a pilot will make agencies better equipped to expand the solution into production use cases.
The Benefits of Zero Trust
Implementing ZTNA services will increase agencies’ security posture in mobile and cloud-based environments and simplify user access to mission-critical information, while providing consistent control and visibility. As agencies assess their current security architectures and existing technology elements, they should also take advantage of federal resources for greater understanding of the considerations and benefits of zero trust.
A white paper by the American Council for Technology-Industry Advisory Council provides key concepts, recommended steps and lessons learned working within federal environments for agencies to consider as they develop zero-trust solutions that are specific to their mission goals.