Upend Government Cybersecurity With Zero Trust
Deploying zero trust specifically designed to mitigate threats government agencies face is a highly complex, critical effort. Zero trust requires an understanding of the data agencies’ store, including data labeling, where it resides, who owns it, who has access, if it has been downloaded (also known as data governance), and regulatory and legal requirements. The effort is further complicated by a multitude of vendors claiming to offer zero trust with a one-size-fits-all product and overzealous sales pitches.
Creating and maintaining the right zero-trust environment requires cohesive planning, new processes, skilled resources, effective monitoring of ongoing review efforts and the right products that fit your unique requirements. It is the combination of all these factors, plus a proven change management strategy (such as the observe, orient, decide, act, or OODA loop), that enables agencies to establish or improve their zero-trust data-centric security approach.
The first step toward zero trust is understanding your baseline, which begins with asking yourself, “Where am I today?” Baseline research is a monumental task and involves a meticulous inventory of all existing cybersecurity assets, including products, configuration and operation, where data is located, who has access and any vendors involved. The extensive list should include services, workflows, policies and procedures. Additionally, the baseline should encompass active and inactive features, people trained on each product, the number of users and when licenses expire. The type of content stored, shared, secured and targeted by threat actors differs for every agency.
The next piece is a vulnerability audit. It is critical to uncover and document what cybersecurity events could cause you to have unauthorized access, data loss and the impact of an emergency agency shutdown. When conducting the audit, determine areas where your agency is most vulnerable. Sample questions include:
- Are my disaster recovery plan and continuity of operations plan current?
- Have we conducted tabletop exercises based on various threats, and do we understand who, when and if weneed to escalate to request assistance?
- What are the national security implications of unauthorized access or a data breach?
- What vulnerabilities currently exist within my environment, and do I have mitigating security controls for those vulnerabilities?
- For vulnerabilities that do not have mitigations, is it a level of acceptable risk, or is there a plan for future mitigation?
With the completed research, the next step is determining the right zero-trust approach. Keeping regulatory and legal requirements in mind, decide if it makes sense to leverage CISA’s five pillars, the Department of Defense’s (DoD’s) seven pillars, the National Institute of Standards and Technology’s (NIST’s) zero trust architecture deployment models, or a hybrid of public/private recommendations. Many information technology (IT) leaders find it helpful to have discussions with peers at other agencies. If methodologies are working in one agency, they may also prove effective for another and can help avoid common mistakes while accelerating the overall zero-trust initiative.
No single vendor can handle 100% of any agency’s needs when it comes to zero trust. This is because of the complexity and diversity of existing IT systems and secure computing. Combined with a defense-specific, in-depth strategy, the very thought of a single vendor is a risk itself. The industry has seen multiple instances of what happens when a single vendor suffers a supply chain attack without necessary zero-trust methodologies. While multisolution, single-vendor platforms can be beneficial both in terms of capabilities as well as from a cost savings perspective, part of the risk strategy needs to ask the following: “What if XYZ vendor is breached, and how can I detect and mitigate a supply chain attack from my IT infrastructure and security tools”?
Related to this, an incident response plan should contain details such as responders, escalation processes, contact information for internal agency employees, as well as vendors and a communications plan for internal and external communications. Knowing what to communicate and when to communicate is paramount during any incident. Conducting tabletop exercises with different scenarios will enable you to identify gaps, apply lessons learned, document key findings and improve before having to rely on the plan during an active incident. Be sure to repeat the exercise on a regular cadence, especially given the rapidly changing threat environment.
Whether you are creating or improving existing zero-trust capabilities, one thing to ensure exists in your arsenal of defense tools is data loss prevention capabilities. Looking at breaches over the last decade, there are a few commonalities to call out: the unauthorized access of data and data loss. The use of data loss prevention (DLP) capabilities has been around for some time. However, not all technology is created equally. Notably, innovative DLP capabilities agencies should look to the identification of sensitive data and the ability to redact, mask, remove and encrypt structured or unstructured sensitive data based on a myriad of control options before being accessed, viewed or downloaded while enabling secure collaboration across agency personnel, mission partners or external sources.
The freedom of data control is not science fiction only found in movies. This technology is available today. Imagine the following scenario: A contractor needs access to sensitive data. Typical legacy DLP and security controls tend to be limited in capability and can either “allow access” or “deny access” or have a limited exclusion such as “allow access if from a government-owned computer with antivirus, otherwise deny access.”
However, with today’s innovation, control attributes such as time, device, device posture, location, behavior and type of access can all be put into the scenario. As an example, “allow access if from a government-owned computer, with antivirus and no alerts only from the hours of 9-5 Monday through Friday and deny external sharing,” or “allow access if on a nongovernment-issued computer but prevent download, redact sensitive data and encrypt and deny external sharing.” This provides a way to operate in today’s computing world, including data stored in the cloud, with innovative technology while reducing risk.
DLP is not the only security capability that needs to be implemented as part of a zero-trust methodology. All tools should, in part, be a way to detect, prevent, monitor, report and resolve unauthorized access and reduce the overall risk an agency may face. When looking at other technologies, other key considerations include:
- How does a product solve unmitigated threats, expand on capabilities and fit into your zero-trust methodology while reducing cost?
- How does a product fit into the various zero-trust pillars and the problems it solves? Ask for proof points and customers who are having success.
- How is the efficacy of detection and prevention measured? How are false positives and false negatives measured?
- How does the vendor protect their environment and ensure they will not suffer a supply chain attack? What does their response plan look like?
This level of conversation will help ensure that the selected technology fits into your existing infrastructure and not vice versa.
Upfront research, strategic planning, a thoughtful approach and the right technology partners are critical factors in creating and maintaining a zero-trust environment. Without these steps, agencies are more vulnerable than ever to an increasing number of organized data breaches.
Jim Coyle is the U.S. federal security strategist at Lookout, leveraging his 20 years of frontline cybersecurity experience to help government agencies close security gaps. He is a cybersecurity industry thought leader exploring geopolitical cyber-related issues, the latest threats and defense strategies, as well as industry trends, providing insights through his career.
