Oct 31 2023

4 Pillars of Zero-Trust Architecture from the View of the New Jersey Judiciary

Courts CIO Jack McCarthy breaks down how Zscaler helped his agency improve cybersecurity.

In a recent video chat with StateTech, New Jersey Judiciary CIO Jack McCarthy outlined four pillars of a zero-trust architecture.

McCarthy discussed how the New Jersey courts system adopted Zscaler products in support of zero trust when the 2020 pandemic forced all state employees to work from home. He applauded how Zscaler first provided the courts with a means of authenticating user identities.

“The first pillar is you have to know who the users are who connect to you and find some way to ensure their identity,” McCarthy says. “Obviously, two-factor is the best. We’re doing that right now. We use the Zscaler products to establish 2FA, so anybody logging in to our network on one of our PCs is coming in through 2FA whether they’re sitting at their desk in the office or sitting at their house.”

McCarthy identified the second pillar of zero-trust architecture as asset management. He estimated the New Jersey Judiciary has about 700 sites and 60,000 devices across its network.

“And, if we don’t know what every single one of those devices is, our network isn’t secure,” he says. “So, we’re using the product to interrogate these devices as they’re coming out of our network.”

He adds, “First, protect and know your users. Second, protect and know what’s connecting to your network.”

Click the banner below to learn how to implement the right zero trust architecture for your agency.

Keep Devices and Applications from Talking When Unnecessary

The third pillar of zero-trust architecture is segmentation, McCarthy says.

“If Server A has no need to ever cross a network and connect to Server B, don’t let it. Don’t give it a reason,” McCarthy says. “What if that server had ransomware on it and was trying to expose the rest of your network to it? If Server A doesn’t need to talk to B, then don’t ever let it talk to B. Create that little bubble around it, and let it know only about itself and what its job is. It’s a lot of work to set up your network that way. But once you get it there, it lets you sleep a lot better at night because you assume that everything will be a little bit more protected.”



The fourth and final pillar of a zero-trust architecture is the principle of least privilege, McCarthy says.

“Implement least privilege across your network. It’s really explicit trust. Create explicit trust everywhere, remove implicit trust. If an application doesn’t need to talk to another application, if a server doesn’t need to talk to an application, don’t let it,” he says. “Build your network on the idea that nothing is trusted, and then slowly add in what’s going on. That helps you a lot if you get hit by something, because then you’ll be able to see more quickly what the pieces are that are talking to each other. You don’t have to have everybody pointing fingers at each other. So, in general, Zscaler is doing those things across much of their platform for us.”

READ MORE: Learn more about how state and local agenies can establish zero trust.

Augment Traditional Security Measures to Achieve Zero Trust

CDW Field CISO John Candillo endorses a zero-trust approach to cybersecurity for state government agencies. He says traditional security measures such as a username and password should no longer be considered adequate for government security.

“From a government agency perspective, the reason the government is pushing a zero-trust architecture is to move away from the legacy ideas that you can build a perimeter defense mechanism and trust what access people have if they’re inside that perimeter,” Candillo says.

“For a long time, we’ve made assumptions that are prone to error and get us into trouble,” he adds. “We assume that if you have the username and password, you are who you say you are, and you should have access. That’s a problematic assumption.”

Agencies should not rely on usernames and passwords, nor should they implicitly trust known networks or grant access to familiar managed endpoint devices without authentication, Candillo says.

“Such assumptions have gotten us into trouble when those trusts are broken,” he says.

shapecharge/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT