Security modernization is top of mind for government agencies, especially with increasingly complex hybrid environments and more mobile work. At the same time, IT budgets are shrinking, and the cost to maintain aging legacy infrastructure continues to grow.
To combat this, public and private sector organizations are turning to cloud-based tools. Goals include enabling posture-driven, conditional access and zero-day threat sharing. Large enterprises need to simplify the security environment with cross-platform automation that provides secure access to applications and data.
While there is no one tool to provide all capabilities, a zero trust security model provides ubiquitous policies based on identity – meaning the user will have the same experience anywhere they are. This provides consistency within organizations. Users have the ability to seamlessly access applications and data in cloud environments and data centers, while IT administrators balance security and control.
There are six core capabilities of zero trust that agencies can include to modernize their security environments.
1. Seamless direct access to external and internal applications
Zero trust gives users direct access to external (internet or SaaS) and internal (data center, IaaS, PaaS) applications and data, remotely and securely. Rather than backhauling traffic through virtual private networks (VPNs), this reduces traffic and latency, while improving the user experience. As telework requirements expand, users need to be able to work on their server and connect to data in data centers and clouds from their homes.
2. Context-aware access
Access policies should correlate between user, device, application, and other aspects of the environment. As agencies build context-aware access policies, they should include vendors, architects, users, privacy teams, compliance teams, and mission delivery teams in the conversation. It is important to have representation from all the teams involved to form a symbiotic relationship and a united organization.
Users should only be given access to resources and applications necessary for their job functions. Agencies should develop a zero-trust security model, where only authorized users will be granted access to authorized applications. As attack surfaces grow with more distributed environments, this can further limit east-west traffic on the network so that users will not reach applications they were not intended to reach.
3. Flexible deployment across all users and locations
A cloud-based zero trust service can provide a scalable environment without placing a significant burden on the IT team. Organizations need different policy requirements that allow flexible deployment for teams to deploy tools as quickly as possible. It should be seamless to scale capabilities up or down, without having to deploy new on-premises hardware or additional licensing.
Deployment can be simple. Many federal agencies already have aspects of zero trust in their infrastructure, including endpoint management, continuous diagnostics and mitigation, software-defined networking, micro-segmentation, and cloud monitoring.
To get started, agencies should identify their most significant pain point and define a zero-trust use case that addresses that issue. Then, they can implement multiple use cases for a solution that spans multiple scenarios and user communities.
4. Seamless user experience
It is important to focus on the user experience. Make security and access as transparent as possible, especially when accessing critical agency applications and key collaboration tools. Legacy VPNs backhaul traffic through the security stack, creating a poor user experience and significant latency – especially as agencies scale up telework. Instead, zero trust connections provide direct, secure access to applications in any location.
5. Comprehensive visibility and troubleshooting that enables rapid user-issue resolution
Zero trust provides IT administrators with a single pane of view to manage, administer, and log users in one place. Administrators will have full visibility and control into the distributed environment. Zero trust technologies improve visibility and troubleshooting. This enhances the user experience and promotes efficiency within the agency.
6. Security and compliance tools to mitigate cyber threats and protect applications and data
By using cloud-based security and compliance tools as part of a zero-trust security model, agencies are able to protect data and applications without having to go through frequent updates. This can free up time for agencies to focus on more critical mission needs and on improving policies, instead of patching security holes.
As technology evolves, cloud mobility is the disruptor and accelerator of digital transformation. Telework requires a new approach to security. Cloud-delivered zero trust Security Access Service Edge (SASE) models will transition security from network-centric controls to user-centric and application-centric security, designed to support highly distributed teams working beyond the traditional network perimeter. This “new normal” allows IT to become digital business enablers by adopting new security tools and technologies in the cloud to deliver government missions, and promote transformation from a top-down initiative.