Zero trust is a new buzzword, but not a new concept. Depending on what you read, a Forrester researcher coined the term in 2010 or it first came about at the Jericho Forum security consortium a few years before that. Either way, it’s crucial today, although the model isn’t always easy to implement.
“Lately, the changing threat landscape is making this model more critical to safeguard digital assets,” said Rosa Akhtarkhavari, former CIO for Orlando, Florida, who was appointed Deputy Chief Financial Officer in October 2021. “Does it live up to the hype? Is it important? Yes. Can we implement control to where we can feel fully secure? The reality for the city of Orlando and many of the midsize organizations or governments, is it is costly, it is resource-intensive and it is operationally impacting.”
“This is a journey. We started that journey many years back and we continue to build on it to balance operation with security and continue to function.”– Orlando CFO Rosa Akhtarkhavari
The basic tenets, such as identifying entry points, whether it’s a person interacting with a device or the Internet of Things, and securing them, are doable, as are MFA and authorization, she said.
“But as we start looking at the application and keeping up with the changes to the port level and/or to some of the patterns and actions that continue to change as the workforce continues to change, this is where it becomes too costly and resource-intensive to manage and manage properly without impacting our operation,” Akhtarkhavari said.
Some of the elements Orlando has adopted include least-privilege access and monitoring, but exactly how the city uses it at the network and application levels changes based on risk tolerance and assets’ criticality. “Adding additional control and practices that align with zero trust adds a mitigation layer to the ever-evolving and increasing threats,” Akhtarkhavari said.
With cyber threats and security, the work is never done. Right now, Akhtarkhavari is keeping her eye on emerging threats, including how to handle zero-day vulnerabilities, which are unknown security flaws.
“I would say this is a journey,” she said of zero trust. “We started that journey many years back and we continue to build on it to balance operation with security and continue to function.”
One of the trickiest parts of implementing zero trust is the cultural shift because it requires stakeholder departments and end users to go through more security layers. Still, getting not only buy-in but building a cyber-centric culture is crucial to security’s success. Akhtarkhavari offered two tips for change management:
Raise awareness with employees, but also the management and executive teams. She accomplishes that through:
- Trainings and communications about changes to
the threat landscape
- Reminders about best practices for cyber hygiene
- Open dialogues to address questions and
“We deliver the message, ‘Hey, we are still working on this and this is why’ versus ‘Now you will be using this, and you will be using that,’” Akhtarkhavari said. “When people understand the why, they become more accepting of the changes that are coming their way.”
There are times when she cannot share the why, and that can be tricky. But if trust has been established by providing the why most of the time, employees know when it’s not that the decisions aren’t happening without regard to operational impact.
Be open about why changes are being made and their operational impacts.
“We understand that control comes with, in some cases, an operational cost, and we make the effort to make sure our operating department understands why some of those controls are put in place,” she said. “We try to do that to make sure they understand we are trying to protect the city and protect our critical assets and protect the employee.”
Best Practices for Aligning With Zero-Trust Security
Akhtarkhavari has straightforward ways to make zero trust happen.
- Don’t trust.
- Know your assets.
- Provide least-privilege access for employees to be able to do their job and nothing more.
- Know who’s accessing your system, whether it’s a device or a person.
- Continually raise awareness.
- Continuously monitor risks and know your trends and your activities.
- Assume there is a breach every time there is an alert, and act on that.
This article is an excerpt from GovLoop’s guide “Why (Zero) Trust Matters at Work: And How to Foster It.”