What Is Zero-Trust Architecture?
In a zero-trust model, no user, device or application is implicitly trusted by the network. Continuous authentication and validation are required to access a network or asset, and even then, users may not be able to get into everything.
Administrators can restrict privileges so that users are only allowed to access the files, software and other items they need to do their jobs.
“Conceptually, zero trust, at its very core foundation, as the name implies, trusts no devices and requires an authorization … to continually be evaluated and re-evaluated as you progress through a network environment,” Main says.
A zero-trust framework can be realized through solutions, network provisioning and other methods of establishing controls, multiple authentication checkpoints, and other capabilities.
Oklahoma, which underwent an IT unification effort from 2012 to 2017 that consolidated technology assets from 112 separate state agencies into one organization, had been moving toward a zero-trust model before the COVID-19 pandemic, according to Matt Singleton, CISO for the state of Oklahoma.
“The initial idea was more of a defense-in-depth approach, where we’re trying to put layered security defenses in place,” Singleton says. “At its simplest form, that’s what a zero-trust architecture really is. We wanted to make sure that we had defenses for all of the assets and people, and then those defenses would allow people to work from anywhere and still be productive.”
When the pandemic hit, Oklahoma had begun to add Zscaler’s Zscaler Internet Access secure web gateway product, and had selected an email gateway option but hadn’t started the enterprise implementation. While implementing a zero-trust architecture can take two to three years or more, Singleton says, in the past 18 months, the state has enacted the majority of its zero-trust plans.
“Zero trust is a process,” he says. “I don’t know that you will ever really get there. I don’t think that we’d ever call it done. We’ve made a lot of progress, and really, for what we’ve scoped out, the majority of the work has been completed, although we’re looking for other areas where we can continue to tighten up.”
What Are the Benefits of Zero Trust for State and Local Government?
With a greater number of employees working offsite during the pandemic, many agencies needed to address expanded connectivity needs and manage an increased number of remote endpoints.
Oklahoma’s state government, for example, needed to support more than 30,000 remote employees, including addressing scenarios such as how employees might use personal and other devices to connect to the state’s network.
“We had to work through what would make sense to do through Office 365, and what would make sense to actually come in through some sort of a virtual private network solution,” Singleton says. “Ultimately, we wound up doing a combination of those things, plus a virtual desktop environment our state employees could use just like they were in the office, but through a web page. That worked out really, really well for us.”
The state’s use of cloud-based security tools, such as ZIA and the Zscaler Private Access solution, part of the company’s zero trust platform, which supplies access to private applications running on a public cloud or within a data center, has helped give users a more direct path to assets.
In the past, they might have a session at one site, been bounced to the state’s data center, brought back to a network resource and then pushed out to the cloud for another resource, according to Singleton.
“It was really just a whole lot of stops along the way,” he says. “By moving things to the cloud and implementing cloud-based security solutions, they’re right next to each other. It actually put the user closer to the assets that they were trying to access. The Oklahoma Department of Corrections saw a fivefold improvement in throughput by moving to the new zero-trust tools we put in place.”
How Can State and Local Agencies Build a Zero-Trust Architecture?
To establish a zero-trust framework, it’s essential agencies first ensure they have solid practices relating to identity, according to Main, such as requiring repeated validation as users move throughout a network architecture.
“This has a significant benefit, especially in prohibiting or stopping that lateral movement a malicious actor may attempt to make if they gain entry into your environment,” he says. “Zero trust puts the brakes on that immediately and can potentially be a lifesaver for public sector agencies.”
Folding multifactor authentication into the mix can also help minimize or eliminate an attacker’s ability to be successful, Main says.
“With multifactor authentication in place, we are able to stave off 99 percent of the email-borne threats against our environment,” he says. “Phishing attacks, business email compromises, things of that nature, are where the overwhelming majority of threats facing our environment originate.”
Singleton advises also examining how people connect. Oklahoma uses Mimecast for its secure mail gateway, and CrowdStrike for endpoint detection and response. It’s implementing the Zscaler Workload Segmentation tool, Singleton says, to assist with its microsegmentation efforts, and is using its cloud access security broker to identify where else the organization has information assets and how best to secure them.
“A secure web gateway, your email gateway — those are two critical tools you should have in place,” Singleton says. “You want to make sure you’ve actually put some sort of an endpoint detection and response tool in place on all of your assets.”
After you’ve secured the endpoints, user accounts, and the communications coming in and out of those assets, the next big piece, he says, would likely involve making sure some sort of private access tool is in place.
“You want to make sure you’ve got some way for them to continue to be safe as they’re accessing the enterprise network,” Singleton says. “Within the network, microsegmentation is really where we’re focusing right now — ensuring this person on this device connected by this means actually has the authority to have this access to this specific tool within the enterprise environment, and nothing else.”
The shift to a zero-trust approach won’t happen overnight. State and local government agencies can, however, make solid progress toward reducing cyber risk by identifying where restricting access would be key due to the nature of the involved data, less-than-ideal protocols or other factors, according to Main.
“You can’t eat the elephant all in one bite,” he says. “You have to prioritize your zero-trust strategy. It is really going to vary, based on the complexity, current capabilities of the environment and how much rearchitecting needs to happen. But I would suggest, instead of looking at a time horizon, focusing on the highest-priority concerns for the respective environments.”