Early Adopters See Zero-Trust Advantages for Remote Work
Zero trust can involve using strict access controls, multiple authentication checkpoints and increased monitoring resources to repeatedly verify users and devices before allowing them to access a network or asset.
Eric Sweden, program director of enterprise architecture and governance at NASCIO, expects more states will begin incrementally adopting that type of cybersecurity approach as part of their ongoing maturation.
“Zero trust does not have to be — most likely cannot be — a one-time initiative,” Sweden says. “States already have in place many of the capabilities required for zero trust —possibly 50 to 74 percent of the necessary technology and organizational capabilities.”
Some have already begun adopting a zero-trust mindset. Oklahoma, for example, fast-tracked its move to zero trust during the COVID-19 pandemic. By April of this year, the state’s Office of Management and Enterprise Services reportedly had deployed Zscaler Private Access, a cloud-based solution that provides zero-trust access to private applications running on public clouds or in data centers, to help scale remote access for more than 30,000 teleworking employees.
Washington state CISO Vinod Brahmapuram, speaking at an online event in August, said the state was transitioning to a zero-trust structure — a modernization move he described as “part of what we should all be doing,” StateScoop reports.
With states and municipalities facing significant ransomware and other security threats, smaller localities in particular may need to outsource some tech-related operations in order to enhance their cybersecurity stance, says Alan Shark, executive director of CompTIA’s Public Technology Institute.
“It’s not just a matter of money,” Shark says. “It’s staffing, it’s training, it’s certifications: They don’t have it. Having managed service providers may be a better answer for them.”
Guidance Could Help Agencies Make Progress on Zero Trust
Because zero trust is essentially a concept — not a prebuilt solution or set of tools that can be purchased and put into use — confusion can arise over what specific elements are involved.
For more states to buy into zero trust’s value and be able to execute it successfully, the federal government, Shark says, may need to provide more detailed information.
“Zero trust means you have to get into a system that locks you out until you prove otherwise,” he says, referring to proof that the persons seeking access are who they say they are and can prove it. “It means better authentication of who is coming in, having authorized users on different levels — saying someone has certain rights to get into these certain records, but someone else can get into more. What’s missing is a true definition that a majority of folks can understand. Once they have that, they can better figure out strategies to adopt.”