How To Apply A Zero Trust Security Model To Your Agency
If your government agency hasn’t experienced a security breach yet, it’s only a matter of time before you do.
A recent survey by Thales found 47% of U.S. agencies experienced an increase in cyber attacks in the past year. Of the nearly 3,000 organizations surveyed globally, 41% said they experienced a data breach. The problem has only gotten worse as more employees work remotely, using virtual private networks and virtual desktops or storing sensitive information in the cloud without encrypting it.
Knowing how likely they are to face an attack and how high the stakes are when they do, many organizations are adopting a Zero Trust security model. In fact, the report found 65% rely on Zero Trust to shape their cloud strategy.
Whether you’re a security or IT professional leading this effort or you’re in charge of implementing new technology at your agency, here’s what you need to know.
What is Zero Trust?
Zero Trust is a strategy and a set of principles that assumes a cybersecurity breach is inevitable. It also assumes you face both internal and external threats and focuses on limiting network and data access to only what is essential.
The National Security Agency defines Zero Trust this way:
“Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets in real-time within a dynamic threat environment.”
In a guidance document published in February 2021, the NSA outlines the principles of Zero Trust and offers recommendations for putting them into practice.
What are the principles of the Zero Trust security model?
Adopting the Zero Trust security model begins by embracing a few key concepts:
- Never trust, always verify – Don’t assume any user, device, or application is trustworthy. Authenticate each one and grant only the access they need.
- Assume breach – Continuously monitor all activities, including network traffic and access.
- Verify explicitly – Use multi-factor authentication to grant access to resources.
Zero Trust security isn’t only the responsibility of IT and security teams. Everyone in your organization should understand and practice these principles in their daily activities.
For instance, if your facilities team is working with a vendor who requests access to your workplace management system, they should grant access to a specific individual who can verify their identity through a text message or email. Granting a single log-in for an entire team to use makes it more difficult to trace the origin of a data breach.
How to implement a Zero Trust security model
Secure all assets, applications, and data
Focus on protecting critical resources and securing all paths to them. While traditional network security efforts have focused on securing the network perimeter using firewalls, it’s important to consider cloud security as well.
While a cloud environment makes your data and applications more accessible and less susceptible to physical attacks, it requires a different approach to security. Many organizations are still catching up when it comes to protecting their resources in the cloud, especially if they use both public and private clouds or multiple platforms.
In the Thales Data Threat Report, 83% of respondents said less than 50% of their sensitive data stored in the cloud was encrypted.
Develop privileged access control policies
A Zero Trust network includes additional protections to ensure no unauthorized users are attempting to gain access.
First, determine who needs access to your resources and what privileges they need. This is especially critical if you store sensitive information that needs to be encrypted. If a bad actor gains access to your network or your cloud environment, any data they obtain should be encrypted to render it unusable.
Once you know who needs access, set up the proper controls and workflows your team needs to manage it. For instance, what happens when an employee requests access to your VPN from a new device or location? What additional steps do you need to verify their identity and their device?
This illustration by the NSA shows how Zero Trust access control blocks bad actors from servers and software when they try to gain remote access.
Consider how to revoke access promptly when an employee or contractor no longer needs it. For instance, if your HR director terminates an employee, notifying the IT team should be a standard part of the process. Single sign-on access control makes it much easier to securely grant or revoke access to multiple applications with one step.
Continuously monitor threats
Detecting and responding to threats is a critical part of a Zero Trust security model. Traditionally, IT teams have focused on endpoint detection and response (EDR), or monitoring the network constantly and developing automated responses to perceived threats.
Security professionals argue this strategy has some limitations. For instance, it has limited visibility into an attack that might involve multiple assets or different parts of the cloud environment. They make the case for using extended detection response (XDR), which uses multidimensional traffic algorithms to spot attacks not only at endpoints, but in the cloud and throughout the network.
Vet new workplace technology and software carefully
Over 90% of all data breaches in the past year originated from applications, according to a Verizon analysis. Unfortunately, many organizations add new software and apps to their technology stack frequently without considering the larger implications. The HR team decides to implement a new benefits management system that stores sensitive employee data. The facilities team adds a visitor management system to keep track of everyone who enters your building. Your entire agency has doubled down on its use of video conferencing software and file-sharing applications.
Every application and vendor you use has the potential to introduce new vulnerabilities into your ecosystem.
Zero Trust requires vetting each one carefully before downloading or purchasing a software license. It also means applying more scrutiny to on-premise software and legacy systems, which may not have the latest security updates.
One significant advantage of cloud-based software is that the provider releases all security updates automatically, rather than relying on your IT team to manage updates for all on-premise systems.
Any software provider you use should have strong web application security protections built into its development process. They should also have clearly defined security protocols.
Need help vetting providers? Ask these 25 security questions.
Incorporate new security protocol as needed
In a mature Zero Trust model, your visibility and ability to respond to threats becomes stronger and adapts to your organization’s changing needs. You are continually adding new policies and protections as your employees and partners work in different ways. As cyberattackers become more sophisticated and you identify emerging threats, you develop new, proactive strategies.
The work is never done, but with incremental changes over time, you can better protect your agency, your data, your employees, and the people you serve.