The year 2020 has highlighted the many problems of a perimeter security model. As employees and contractors work remotely, applications leave agency data centers, leading adversaries to exploit the soft underbelly found inside the perimeter.
Security inspection is moving from the data center to the edge, closer to employees and applications. Agencies now have the opportunity to optimize.
“Any assumption that a user should be trusted because they’re on an agency network should be challenged,” said Patrick Sullivan, Chief Technology Officer of Security Strategy for Akamai, a global cloud security company.
Agencies have traditionally operated off the assumption that if the perimeter is secure, their data is too. But in a distributed environment, that isn’t necessarily the case.
In an interview with GovLoop, Sullivan shared several tips for how agencies can transition to a secure remote environment.
See Flaws in the Status Quo
The perimeter security model is failing to protect agencies’ most critical data, Sullivan said. Once inside these architectures, attackers can consistently exploit the model with easy lateral movements throughout the network, often guarded by virtual private network (VPN) connections.
But were VPNs really meant for the challenges of 2020, when multiple devices use the same connection and multiple family members use the same device? No, Sullivan says.
“Lacking office controls in unpredictable environments, that further underscores the challenge in granting trust at the network layer via something like a VPN,” Sullivan said.
Furthermore, once logged onto a VPN, employees often receive an access grant to the network that’s valid for hours at a time. Without security nearby or office firewalls, that autonomy can be a vulnerability.
Understand Zero Trust
Enter zero trust. Zero trust is a security architecture that increases scrutiny of access, moving from a grant to access the network to interrogation for each request. Interrogation can include checks for business needs, device posture and anomalous requests down to the application or data layer.
It works much like a hotel key card. The card authorizes access to the building, community rooms – like laundry and workout rooms – and the guest’s room. It doesn’t, however, open others’ rooms or employee-only facilities.
Not only does zero trust limit what users can access, but it also verifies users’ identity and permission levels every time they request access – in contrast to excessive permissions often given in VPN sessions.
Not coincidentally, zero trust is designed for remote work, mobile and cloud environments.
Go Step by Step
Make no mistake: Zero trust is a transformation, not a tweak.
And yet, agencies can approach it incrementally. Guidance from the National Institute of Standards and Technology outlines steps for adopting a zero-trust architecture. Vendors such as Akamai can help design a plan for how to move to zero trust without disrupting business.
Agencies can even prioritize certain communities or applications for zero trust. The process doesn’t need to be all or nothing.
“The big takeaway is, this isn’t something that you do all at once,” Sullivan said. “It’s a continual set of steps and you learn from each one as you go.”
This article is an excerpt from GovLoop’s recent guide, “Your Data in the Year of Everything Else: A GovLoop Guide.” Download the full guide here.