Trust No One: Security in the Age of Mobility
The day-to-day life of a federal worker is changing.
A federal claims agent processing Medicare requests must access information housed in multiple offices, agencies and devices. A field scientist for the U.S. Fish and Wildlife Service might need to pull complex data on trout migration trends while in the field, which may be a remote forest or other location far from headquarters. Both of these instances show the possibilities connected devices create—as well as the major security gaps they introduce.
The security perimeter, which traditionally only encompassed internal networks, has now extended to the home, the coffee shop or any place with a wireless connection. In most of those places, unlike in the office, connections aren’t secure.
Because of that, traditional security controls alone are not sufficient to address the increased attack surface of the modern workplace. Now, the best way to truly protect against a cyberattack is by treating every user and device as a threat through Zero Trust Architecture (ZTA).
ZTA automatically assumes that all networks, whether internal or external, should be treated as untrusted. That means all users connecting to the network must provide valid credentials both for themselves and the device they are using before gaining access. By doing this, ZTA adds a layer of security around the device, not just the user. The laptop, tablet or smartphone itself must be authorized to access the applications and workloads.
In addition, authenticated access is encrypted from end to end—computer to application. Solutions that can track network and application flows are utilized to identify potentially suspicious activity, even with strong access controls in place. Finally, inventory controls and policy enforcement are automated to ensure access is appropriate at all times and alleviate the burden on administrators.
What does your agency need to do to implement ZTA? To get started, there are a few steps before looking to a ZTA solution.
- First, the agency must take a complete asset inventory. A continuously updated inventory of the types of devices that are allowed to access the network is essential to ZTA. These devices could be corporate owned or personal devices used for work purposes.
- Then, the agency should inventory all users. Similar to the device count, ZTA only works when every user is accounted for.
- Last, access requirements need to be mapped for both users and devices. This is the only way to provide the kind of granular access that ZTA needs to be effective.
In many cases ZTA will involve a transition to an entirely new way of balancing security and risk. To help with this, NIST provided draft guidance in February around ZTA in an effort to define the practice. The document also gives general deployment models and use cases where zero trust could improve an agency’s overall IT security posture.
The security of our public assets should not get in the way of the innovative work being done as a result of a more connected world. ZTA holds the promise of allowing our federal workers to take advantage of the most leading-edge technology without leaving their agency vulnerable to cyberattacks.
For more information on how Iron Bow can help with your agency with Zero Trust Architecture, download our whitepaper.
TechSource in your Inbox
Sign-up here to receive our latest posts by email.