Overcoming Zero Trust Challenges in the Federal Government
By Lisa Lorenzin, Director of Emerging Technology Solutions, Zscaler
As federal agencies deploy mobile-friendly, cloud-based infrastructures, cyber threats are also evolving
to prey on vulnerabilities in these new environments. Agencies need to take a proactive approach to stay
a step ahead and keep data safe, regardless of location and device.
To combat these threats, and take advantage of the TIC 3.0 guidance, federal IT leaders are turning to
zero trust security models. The concept evolved in the private sector, as federal agencies have been
slower to explore zero trust models due to a combination of factors, such as perceived liability, resistance
to change, regulatory and certification requirements, data classification, and the need to work across
multiple functional areas.
When choosing a zero trust solution, agencies need to balance access/productivity/performance and
security concerns—at the same time, they need to future-proof their environments. The question is, “Can
zero trust solve today’s and tomorrow’s challenges while meeting federal security guidelines?”
Defining Zero Trust
Zero trust is a bit of a misnomer—the true goal is actually to establish and maintain trust, so we can
enable users to access the resources they need to support their missions. We start off by not implicitly
trusting anyone, then figure out who we can trust, how we know we can trust them, and what we trust
them to access.
The initial intent of zero trust was to help control on-premises user access to internal applications. Today,
the same concept applies to users accessing private applications in externally hosted environments.
Federal IT leaders should think of zero trust as “context-based trust.” It is not a matter of whether the
user is on or off the network, or the application is internal or external, but whether the user is authorized
to access the application.
Federal IT leaders will need to ask themselves several questions when considering zero trust adoption:
“What will this solution look like? How do we scale it? How do we get access to resources through it?
How do we get the visibility we need? How do I meet the Trusted Internet Connection (TIC) mandate if
the solution is cloud based? Is my provider FedRAMP authorized?”
A Phased Approach
As agencies develop zero trust solutions, they need to consider how to integrate them with their current
architecture and security controls. Agencies need solutions that provide seamless access for the user
and full visibility and control for the backend administrators, regardless of the device or the user’s location.
Many federal agencies already have elements of zero trust in their infrastructure and should not require
significant new technology acquisitions. Endpoint management, Continuous Diagnostics and Mitigation
(CDM), software-defined networking, microsegmentation, and cloud monitoring are components of zero
trust that may be in place.