Support for Zero Trust Transitions Continues to Grow

Passwords, encryption, firewalls, VPNs, and two-factor authentication were all novel approaches to securing information held in IT systems. In just three years, zero trust is emerging as the next key security practice to become "table stakes" for government systems. The move to zero trust is not without challenges, but agencies are finding support in newly created offices and cutting-edge technology for meeting the critical need to constantly authenticate and authorize users on a given system.

Top-Down Support

A number of formalized zero-trust programs, offices, and guidance have become part of the landscape of government to support the mandated journey to zero trust. The NIST Zero Trust Framework, the Federal Zero Trust Strategy, and Cybersecurity and Infrastructure Security Agency's (CISA) Zero Trust Maturity Model started agencies down the path. Recently, CISA opened the Zero Trust Initiative Office to help agencies move through their maturity model with training, resources, and opportunities to collaborate with peers. The office will set metrics and benchmarks to track agency progress toward zero-trust maturity and will provide a community of practice for agency zero-trust leaders to connect and share best practices.

Staying One Step Ahead

Artificial Intelligence (AI) and Quantum Computing are both threats and tools for zero trust. Hackers will be leveraging AI and quantum computing capabilities to compromise environments, so agencies have to be prepared to fight fire with fire. Agencies need to be able to respond at the speed of the threat, implementing AI and quantum technologies as part of their monitoring and response strategies. Additionally, agencies may have to adopt new encryption standards to protect data and systems from advanced decryption techniques. As part of the inventory process for zero-trust, agencies should also consider inventorying cryptographic assets and critical interdependencies to protect against future attacks that leverage quantum computers.

Meeting Today's Need

About 30% of breaches in the public sector are the result of insider activity. Zero trust addresses this persistent threat, whether the breach is intentional or accidental. To apply the right authentication and authorization, systems based on zero trust need to have an understanding of both allowed and predictable behavior. Implementing behavioral analytics as part of the zero-trust journey will help expose insider risks. For example, a user beginning to transfer sensitive data to personal cloud storage will trigger an alert based on the change in expected (or even allowed) activity. As agencies shift to zero trust, they need to include the risk profiles as part of the inventory and categorization that supports zero-trust implementation.

Check out these resources to help stay on top of the latest trends and strategies for implementing zero trust in government.

• Zero Trust Workshop: Implement and Execute (April 2, 2024; webcast) - Discover how to implement zero trust to deliver results, integrate zero trust into your daily workflow, uncover best practices you can use right away, and network with your peers to share strategies, techniques, and outcomes at this virtual hands-on workshop.
• DoD Zero Trust Symposium (April 2-3, 2024; virtual) - This symposium will reflect the progress made with zero-trust implementation. Speakers representing government, industry, and academia will share their perspectives and experiences.
• Zero Trust Implementation: Update (April 25, 2024; webcast) - The Executive Order on Improving the Nation's Cybersecurity, the CISA Zero Trust Maturity Model, the DISA Zero Trust Architecture, and various NIST guidance all include mission-critical elements for zero-trust implementation. Although the principles of zero trust are widely accepted, the implementation process is a detailed and time-consuming one. This virtual workshop will focus on the "how-to" and zero-trust lessons learned to date.
• Fall Cyber Solutions Fest: Zero Trust (November 8, 2024; webcast) - This event brings together top industry vendors to shed light on the newest developments, technologies, and best practices in the realm of zero trust.
• The Rise of Zero Trust (white paper) - Following recent guidance from the CISA, governments at all levels are moving toward a zero-trust architecture, locking down their data, devices, and cloud access, and strengthening identity and access management. This e-book discusses some of those efforts.
• Access Management: Core to CISA's Zero Trust Maturity Model 2.0 (white paper) - This whitepaper explores access management best practices, analyses of the new zero-trust access management maturity category, and the substantial impact that privileged access management capabilities can have for organizations on their journey towards a mature zero-trust architecture.
• Creating Software That Is Secure by Design (white paper) - If applications are not built securely, then the wrong people can access an agency's data. To protect the wide range of technologies the government relies on, agencies are moving toward zero trust. The approach addresses security in five key areas: identity, device, network, data, and application.

Many more resources are available on GovEvents and GovWhitePapers to support zero trust journeys.