What the Government Can Learn from the Private Sector in Pursuit of Zero Trust
By Kevin Kirkwood, Deputy CISO, LogRhythm
It has now been over two years since President Biden issued the Executive Order on Improving the Nation’s Cybersecurity, outlining one of the administration’s first real advancements in the pursuit of Zero Trust Architecture. The announcement signified a major milestone in modernizing U.S. government security defenses and raising awareness for all federal, state and local agencies to make security a top priority.
Now just one year away from the White House’s Zero Trust implementation target of September 2024, several U.S. government agencies recently fell victim to a Russian cyberattack, signaling that there is still more ground to be covered in the government-wide pursuit of Zero Trust. The hacking spree, which has impacted schools, hospitals and local government institutions, in addition to several federal agencies, has placed extra scrutiny on the government’s security measures – or lack thereof.
In mid-April of 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released the second version of its Zero Trust Maturity Model that serves as the guidebook for federal agencies on the path to Zero Trust. According to a report from the National Security Telecommunications Advisory Committee, which helped feed the development of the updated model agencies are in “dramatically different phases” of their respective zero trust journeys. Burdened by legacy infrastructure, some federal entities lack the resources necessary to meet the proposed Zero Trust guidelines in the near-term future.
Getting Zero Trust on Track
Though the federal government has historically been a breeding ground for top cybersecurity professionals, it may be time for the government to borrow a few lessons from industry pros in the private sector. The public sector must adopt some of the agility and flexibility of the business world to streamline the progress of zero trust projects, especially with federal implementation deadlines looming.
Assessing the Situation
When planning to build out a Zero Trust program, government agencies should look to model their implementations based on the steps that enterprises use for their own transitions. This starts with an initial assessment of the organization’s security posture. While it may sound obvious, agencies must first assess the mechanisms they currently have in place to understand where potential gaps may lie. Identifying potential threats is an important first step in laying the groundwork for Zero Trust.
Planning the Transition
Once a comprehensive assessment has been completed, agency leaders can begin to plan the transition itself. Zero Trust can be extremely complicated, which makes it important for leadership to define goals up front and set expectations for the project’s outcome. Given the guidance already issued by CISA, agencies have a baseline for defining goals and a timeline for achieving them. This is also the stage of the process where resources are allocated for implementation. While budgets can vary from institution to institution – and especially when comparing a federal agency to a local department – organizations must understand the resources available to them. Agency leaders at all levels must advocate for support of security projects to protect the infrastructure that serves the public.
Executing the Strategy
After an action plan has been presented, agencies can begin to make headway on the actual implementation phase. The execution of Zero Trust is the most intricate, most important piece of the puzzle. Not to be overlooked in the deployment of Zero Trust technologies is the importance of training employees. Zero Trust principles may be new to agency personnel, requiring dedicated training sessions to educate team members on how to work within the newly deployed architecture. Individual contributors must know the common warning signs of suspicious activity to avoid falling victim to social engineering attacks that can help malicious actors penetrate Zero Trust defenses.
Adapting and Improving
The work is never quite done with Zero Trust, even after deployment is complete. Agency leadership must implement processes for monitoring and continuous improvement of Zero Trust architecture. Leaders must establish performance metrics to track progress against the objectives outlined in the earlier planning phases of Zero Trust implementation. Without some kind of measurement, it can be difficult to demonstrate progress on Zero Trust initiatives. By tracking metrics and conducting regular reviews of Zero Trust technologies, organizations can continue to adapt their framework to better fit the unique security considerations of their team.
Building a More Secure Future
Conversations of Zero Trust implementation are sure to dominate the public sector in the year ahead. While there are many hurdles in deployment unique to the agency landscape, private enterprises have been fine tuning their Zero Trust strategies for years. All this trial and error within the private sector can show agencies which steps to take, and which to avoid, along their own Zero Trust journeys.
About the Author
Kevin Kirkwood, Deputy CISO, LogRhythm. I lead the internal practice of security for LogRhythm. My teams include: governance, risk and compliance (GRC), application security (AppSec), security operations center (SOC), and physical security. This concentration in security practice, tools, and operations enables the team and I to ensure that we provide a safe foundation to build the security platforms of the future while protecting employees, systems, and ultimately our clients who will use our products. I can be reached on LinkedIn and at the company website www.logrhythm.com.