Shifting to Zero Trust at the State and Local Level
There is no similar mandate for state and local agencies to adopt zero trust. However, technology and policy changes of this magnitude at the federal level tend to have a trickle-down effect to all levels of government.
That’s especially true for state agencies, which often need to report data to federal agencies (and therefore, federal networks). This is true for everything from Criminal Justice Information Services reporting to applying for grants and submitting data on COVID-19. State universities, critical infrastructure providers and any entity conducting federal funded research may eventually need to move to zero trust.
If federal agencies are converting to zero trust, then all agencies that access or interface with those agencies’ data will, over time, need to be operating in a zero-trust architecture to access it.
Moreover, state IT security leaders say that the effects of the coronavirus pandemic, with so many state workers operating remotely, have accelerated the need to shift to zero trust. Again, the move to zero trust is less about the specific technology components that need to be put in place and more about a change in attitude and policy: No one is to be trusted without authentication, even if they are logging in from a trusted, government-issued device.
“We had 30,000 employees with state assets designed to be behind a castle wall,” Oklahoma CISO Matt Singleton said earlier this year, according to StateScoop. “We don’t have a castle wall anymore. We used to use these things on secure networks, now on commercial networks sitting next to a personal device.”
The Technology Components Needed for Zero Trust
It’s important for IT leaders to know that you cannot simply buy a box of zero trust from a security vendor. Instead, zero-trust architectures are the result of combinations of interlocking technology and policies.
To get started, it’s worth looking at the five pillars the federal government is requiring agencies to make progress on:
- Identity: Agency staff are to use an “enterprise-wide identity to access the applications they use in their work,” and “phishing-resistant MFA” is meant to protect them from sophisticated online attacks.
- Devices: The government will have “a complete inventory of every device it operates and authorizes” for government use and will be able to “detect and respond to incidents on those devices.”
- Networks: Agencies will “encrypt all DNS requests and HTTP traffic within their environment, and begin segmenting networks around their applications,” and the government will create a “workable path to encrypting email in transit.”
- Applications: Agencies will “treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.”
- Data: Agencies will be on “a clear, shared path to deploy protections that make use of thorough data categorization” and will also take advantage of “cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.”
Identity management is not new to government and public safety agencies and should be among the easier elements to implement. However, agencies will need to put in place more granular, role-based access controls.
Software-defined network perimeters, on the other hand, are another critical aspect of zero trust, and state and local agencies are likely less mature in this area than others. That does not mean it is impossible to achieve, it just requires education, planning and investment now to get ahead of the curve. Introducing more granular network segmentation is a great place to start.
That may lead to grumbling at some state agencies that must go through more authentication layers to access certain networked assets, but it is worth it in the end. “The trust of citizens is the most important element,” Washington State CISO Vinod Brahmapuram said in August, StateScoop reports. “You may not make some people happy along the way, but that’s what you do.”
Network access control is the fundamental foundation for getting started on zero trust. Implementing network segmentation and software-defined networking will help agencies get the ball rolling and will naturally lead to evolutions in identity and access management, device, data, and application security.
State and local agencies will not adopt zero trust wholesale tomorrow. However, it’s clear it’s where cybersecurity is headed across all of government. Now is the time to get started on that journey.