Many traditional IT security strategies, such as VPNs and firewalls, became essential over the last few years due to the increase in remote work. These cybersecurity strategies create a perimeter around the network that enables authenticated users and devices to traverse the network and access resources with ease. However, relying solely on the perimeter approach is becoming less effective, less efficient, and more dangerous for organizations of all kinds.
Now, remote work is at its peak, and many assets are in the cloud. Remote workers need secure remote access to their applications, data, and services. As guidance on cybersecurity continues to develop in the digital world, the risk of theft of assets and identities also increases. Traditional strategies for security may no longer be effective in preventing more evolved cyber attacks.
Government cybersecurity: Perimeter defense is no longer enough
New demands on IT environments are exacerbating the need for increasing cybersecurity maturity. As government workers adopt hybrid working environments, cyber threat risk increases. Likewise, inter-agency (G2G) and government-to-business (G2B) collaboration introduces new cybersecurity risks.
The frequency, cost, and impact of cyberthreat actions are increasing. Cyber-criminal activity can occur at all levels of government. But, government organizations now see cyber threat actors shifting their focus to smaller agencies.
Governments require powerful network security — and better remote access solutions than legacy VPN solutions. Increased volume and scalability demands are leading governments down other paths. Enter zero trust architecture.
The public sector and zero trust architecture: Where to begin
Unwinding legacy security processes and changing strategies is not an easy task. However, the benefits can outweigh the challenges. Government agencies looking to implement zero trust should start with education and a step-by-step process.
1. Talk with your IT team about zero trust architecture
First, learn the basics about zero trust and cybersecurity best practices. Understand the zero trust framework, why it is a best practice, and how you can start the conversation with your IT team.
What is zero trust?
Zero trust is a new framework of cybersecurity that helps protect environments from the inside. If someone accesses one aspect of the network, they will not have the ability to move freely inside it. This cybersecurity concept assumes no user, app, service, or device is to be trusted. This strategy also identifies atypical behavior, including incidents and breaches that include attempted access to restricted data or downloads of large amounts of data at unusual times.
The National Institute of Standards and Technology (NIST) established guidelines for agencies and other organizations to migrate toward zero trust architectures. Trust to entities is granted through verifying the user and the apps, services, and data users can access.
What are the threats that zero trust protects against?
There are many types of security risks. Some exist solely in the physical realm, like “dumpster diving,” such as bad actors collecting sensitive data from the recycling or trash. Many threat vectors exist in the cyber realm, too. Take malware, for example. Malware is malicious software intended to access, damage, or control a device or network. Cyber threat actors often combine malware with phishing, which is attempting to acquire sensitive information, like PII, credit card information, or user credentials by claiming to be a trusted entity.
Ransomware is also on the rise. Ransomware is malicious software that blocks access to a system by locking the data. And then, cyber threat actors request a large sum of money to allow access again). Ransomware attacks can bring agency operations to a halt, especially if there aren’t sufficient backups and disaster recovery plans in place.
2. Understand why zero trust is important — right now
Targeted malware and ransomware threats, phishing attempts, data breaches: these threats are all over the news. These threats do not just affect the private sector; they also impact the public sector. The US government recognizes this growing threat and is taking action.
Recent legislation is earmarking funds for state and local agencies to uplevel cybersecurity. So much so that President Biden issued a January 2022 Executive Order mandating “all federal agencies and executive departments to immediately move toward a zero trust architecture to strengthen defenses against increasingly sophisticated cyber threats.” The Infrastructure Investment and Jobs Act (IIJA) signed in November 2021 allocates $1 billion for state and local governments to strengthen cybersecurity for their IT systems. FedRAMP, a U.S. government program that promotes the adoption of secure cloud services, is preparing for the new zero trust strategy to assist and prepare agencies by working with cloud platform providers. Additionally, Transportation Command will implement a zero trust security model on its classified networks in the coming months.
3. Create a checklist of questions to map your zero trust architecture
You now know the answer to the “Why zero trust?” question. Next, start to map out your plan to get there with the rest of the “W” questions: who, what, when, where. Help your IT partners understand the wants and needs behind your team’s use of information systems. With these answers, you can partner with your IT team to map out an effective zero trust architecture plan that is best for everyone.
- Who is using the network (internal/external users)?
- Who on my team needs what information and when? Who needs special privileges? What are they?
- What is connected? What devices, apps, and services are my team/department/agency using?
- What is happening on my network (traffic patterns and messaging, working hours, etc.)?
- When will my team/users access the system/services?
- Where will my team/users be when accessing the system/services (onsite, remote, via VPN, etc.)?
4. Educate your organization about the importance of data security
Multifactor authentication (MFA) is a critical component of zero trust architecture. However, these integrated steps can be tiresome for employees, leading to “security fatigue,” where users have to navigate so many authentication events that it can negatively impact employee productivity.
Ensure you — and your employees — understand the importance of data security and why zero trust security policies, like multifactor authentication, are in place.
- Ask what education is available to help employees identify potential phishing attacks and other cyber threats.
- Discuss with your IT team what makes up “suspicious behavior”. (e.g., holidays/weekends and malicious employees).
- Determine how to get operational if service is denied due to zero trust policies.
- Define how you will prepare for cyberattacks, such as prevention and monitoring, crisis management, and disaster recovery plans.
Zero trust: The foundation of building trust in the public sector
Attacks and attackers are getting more sophisticated every day, and our team continuously innovates to stay ahead of our future threat landscape. We build defense-in-depth into all our systems with a layered approach of technology, processes, and people. And we practice what we preach. Which is why, effective February 1, 2022, Salesforce requires all customers to use MFA when accessing Salesforce products. MFA is one of the easiest, most effective tools for enhancing login security, and safeguarding your business and data against security threats.
Zero trust is a journey, and just like your organization, we are consistently adapting our strategy
Get a more in-depth look at zero trust — and how governments can start preparing for this motion — in our whitepaper.