Short-term steps for agencies to implement zero-trust architecture
Zero-trust architecture is gaining widening attention from agency IT leaders and federal policy-makers alike. As agency network connections grow more complex, and the number of distributed applications and remote users continues to expand, CISOs see zero-trust strategies as a critical way forward to keep agency systems and users secure.
Adding momentum to the conversation among IT leaders are new guidelines being drafted by the National Institute of Standards and Technology (NIST) for federal agencies to establish zero-trust environments.
Those guidelines are shaping the discussion on an operating principle that IT veteran Jim Richberg says is intended to address “the inadequacy of a network perimeter-based approach to cybersecurity” and the ability for intruders to exploit “horizontally ‘flat’ access once they are inside the network.”
Richberg, a former federal cybersecurity official and now field CISO at Fortinet, explains that while full zero-trust implementation can feel overwhelming, IT leaders should remember that at its core, it is a risk management philosophy to embrace, not a technology to deploy.
He breaks down short-term goals for IT leaders in this podcast series on “Security Transformation in Government,” produced by FedScoop and StateScoop, and underwritten by Fortinet:
Short-term goals to move to zero trust
While there is increasing focus on intent-based segmentation — which defines a user’s access and activity based on business needs or intent — the best way to achieve zero trust is through dynamic segmentation, Richberg says.
The capability, however, relies on having timely and granular visibility of network activity.
“If you don’t have that kind of capability,” Richberg explains, “you’ll want a firewall that can integrate closely with identity management and access control tools, and that has additional — or next-generation — capabilities such as intrusion prevention capabilities and the ability to act on threat intelligence coming from other sensors and devices.”
Key ingredients to implement zero trust or intent-based segmentation
“Both zero trust and intent-based segmentation rely on that combination of rapid and granular visibility and control which is typically powered by security hardware, software and network architecture,” Richberg says.
He details key capabilities IT leaders should work toward, including:
- Identify every request for network access.
- Authenticate the requestor.
- Confirm the state of the device.
- Validate access per a policy of least-privilege/need-to-know basis.
- Continuously log and monitor all activity for anomalous behavior.
Advice to agencies that can’t make the move to zero trust right away
“The reality is that many organizations have already been implementing key facets of the zero-trust philosophy — such as static segmentation of their network architecture — and policies that grant different levels of access and privilege to different classes of users,” Richberg explains.
“To the extent that business needs and intent can be defined in advance, you can do a fair bit of basic zero-trust implementation by smart network architecture and access control policies,” he says.
Jim Richberg formerly served as the National Intelligence Manager for Cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities. Before that, he monitored and coordinated implementation of the whole-of-government Comprehensive National Cybersecurity Initiative for Presidents George W. Bush and Barack Obama.
Listen to the podcast for the full conversation on security transformation. You can hear more coverage of “Security Transformation in Government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by FedScoop and underwritten by Fortinet.