State and local governments provide essential citizen services, operate and maintain critical infrastructure, and process and store sensitive personal and health related information, making them lucrative targets for cyber-attacks. Agencies do not always have the resources or expertise to prevent attacks, potentially leaving them vulnerable.
What is Zero Trust?
Zero trust is an approach to cybersecurity for defending critical networks and computing resources that treats all networks and network traffic as potential threats.
According to the National Institute of Standards and Technology (NIST), zero trust is an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, no implicit trust is granted to assets or user accounts based solely on their physical or network location. Devices and users must be authenticated and authorized before access to a resource is established.
Implementing a zero trust framework can address many of the challenges faced by state and local governments.
Zero Trust is a Journey, not a Destination
Many hardware and software vendors often claim zero trust can be achieved by simply buying their products.
In reality, a zero trust model cannot be designed and implemented quickly. It is a journey (or a security mindset/approach) that never ends. Every time a new application is deployed; every time an employee leaves or a new one arrives; every time new hardware of software updated, the zero trust principles must be followed.
The goal of achieving zero trust may seem daunting, especially for fiscally constrained agencies and smaller governmental jurisdictions, but there are steps that can be taken along the way that deliver improved security if the agency has adopted a Zero Trust Architecture.
The Five Pillars of the Zero Trust Maturity Model
The Cybersecurity & Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model is based on five pillars: 1) Identity; 2) Device; 3) Network/Environment; 4) Application Workload; and 5) Data.
This model provides a good starting point for state and local governments/agencies that are implementing zero trust. State and Local governments can significantly improve their security posture with an incremental adoption of the CISA model.
DMI Begins Laying the Foundation of Zero Trust for Large State Agency
According to Gartner, most zero trust strategies start with networking-related initiatives (segmentation) due to the implicit trust in traditional network security models. A solid identity foundation is a prerequisite to starting any network segmentation initiatives. Zero trust requires a secure, common federated identity management system.
The DMI cyber team supporting a large state agency recently implemented an enterprise level MFA capability, laying the foundation for the agency’s zero trust initiatives.
The effort began with an extensive education and adoption campaign to establish the knowledge groundwork for more than 10,000 employees. Next, the team successfully transitioned each user to new technology. Remote users are now using an identity security app on their mobile device to securely authenticate to Active Directory.
Additionally, the team employed Microsoft Active Directory Federation Service to allow single sign-on and federated identity to access systems and applications located across multiple organizational boundaries.
DMI helps our state and local partners to understand their risk tolerance and prioritize activities so they can make informed decisions about cybersecurity investments along the zero trust journey.