Security

State and Local Governments Should Prepare Themselves for a Zero-Trust Future

Zero-trust architectures for cybersecurity are being mandated at the federal level, and state and local IT leaders should prepare to adopt this approach as well.

Houston Thomas III

In his role as Senior Business Development Strategist and Public Safety Senior Strategist, Houston Thomas III manages the architect and engineering process for large-scale integration projects involving public safety agencies. He provides subject matter expertise to CDW•G law enforcement customers with respect to digital intelligence and evidence management.

Surveys of state and local government IT leaders consistently show that cybersecurity is their top concern. This will likely always be the case, especially since agencies remain prime targets for cyberattacks.

However, it’s time for IT leaders to start evolving their approach to cybersecurity, away from the castle and moat and defense-in-depth mindset and to a more data-centric view of cybersecurity. In short, it’s time for them to start thinking more seriously about zero-trust architectures.

Zero trust is a model in which no user, device or application is implicitly trusted on the network. Users must continuously authenticate and validate themselves, and the principle of least privilege applies across the board, meaning you only get access to what you need to do your job and nothing more. IT leaders should start thinking about how they can implement this approach, which is less about the technologies and more about a change in thinking.

Click the banner below to get access to a customized content experience and exclusive articles.

Shifting to Zero Trust at the State and Local Level

The federal government, via an executive order President Joe Biden signed in May, has mandated that federal agencies adopt zero trust, and recent draft guidance gives them until fall 2024 to do so.

There is no similar mandate for state and local agencies to adopt zero trust. However, technology and policy changes of this magnitude at the federal level tend to have a trickle-down effect to all levels of government.

That’s especially true for state agencies, which often need to report data to federal agencies (and therefore, federal networks). This is true for everything from Criminal Justice Information Services reporting to applying for grants and submitting data on COVID-19. State universities, critical infrastructure providers and any entity conducting federal funded research may eventually need to move to zero trust.

If federal agencies are converting to zero trust, then all agencies that access or interface with those agencies’ data will, over time, need to be operating in a zero-trust architecture to access it.

Moreover, state IT security leaders say that the effects of the coronavirus pandemic, with so many state workers operating remotely, have accelerated the need to shift to zero trust. Again, the move to zero trust is less about the specific technology components that need to be put in place and more about a change in attitude and policy: No one is to be trusted without authentication, even if they are logging in from a trusted, government-issued device.

“We had 30,000 employees with state assets designed to be behind a castle wall,” Oklahoma CISO Matt Singleton said earlier this year, according to StateScoop. “We don’t have a castle wall anymore. We used to use these things on secure networks, now on commercial networks sitting next to a personal device.”

KEEP READING: Get complimentary resources from CDW on building an incident response plan.

The Technology Components Needed for Zero Trust

It’s important for IT leaders to know that you cannot simply buy a box of zero trust from a security vendor. Instead, zero-trust architectures are the result of combinations of interlocking technology and policies.

To get started, it’s worth looking at the five pillars the federal government is requiring agencies to make progress on:

Identity: Agency staff are to use an “enterprise-wide identity to access the applications they use in their work,” and “phishing-resistant MFA” is meant to protect them from sophisticated online attacks.
Devices: The government will have “a complete inventory of every device it operates and authorizes” for government use and will be able to “detect and respond to incidents on those devices.”
Networks: Agencies will “encrypt all DNS requests and HTTP traffic within their environment, and begin segmenting networks around their applications,” and the government will create a “workable path to encrypting email in transit.”
Applications: Agencies will “treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.”
Data: Agencies will be on “a clear, shared path to deploy protections that make use of thorough data categorization” and will also take advantage of “cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.”

Identity management is not new to government and public safety agencies and should be among the easier elements to implement. However, agencies will need to put in place more granular, role-based access controls.

Software-defined network perimeters, on the other hand, are another critical aspect of zero trust, and state and local agencies are likely less mature in this area than others. That does not mean it is impossible to achieve, it just requires education, planning and investment now to get ahead of the curve. Introducing more granular network segmentation is a great place to start.

That may lead to grumbling at some state agencies that must go through more authentication layers to access certain networked assets, but it is worth it in the end. “The trust of citizens is the most important element,” Washington State CISO Vinod Brahmapuram said in August, StateScoop reports. “You may not make some people happy along the way, but that’s what you do.”

Network access control is the fundamental foundation for getting started on zero trust. Implementing network segmentation and software-defined networking will help agencies get the ball rolling and will naturally lead to evolutions in identity and access management, device, data, and application security.

State and local agencies will not adopt zero trust wholesale tomorrow. However, it’s clear it’s where cybersecurity is headed across all of government. Now is the time to get started on that journey.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.