The belief that the government should treat all of its data and services as if they were exposed to the public internet might sound extreme. But this is the foundation for a zero-trust approach to cybersecurity. This approach forces agencies to protect assets differently, from a stance that assumes a breach has likely happened.
“The sets of problems that people hope to solve with zero trust are moving away from checklist-oriented security and into provable things that we can actually assert and show continuously, while an application is in use and running,” said Zack Butcher, Founding Engineer and Head of Product at Tetrate.
Growing interest in supporting secure distributed workforces and more digital services, coupled with U.S. government mandates, are driving zero-trust adoption and the need for continuous education.
Tetrate’s support of those efforts means a relentless focus on managing the complexity of hybrid cloud applications and fostering partnerships with government agencies, including the U.S. Air Force and NIST. Part of that work includes co-authoring publications to help build awareness. Butcher is also connecting the dots between zero-trust outcomes and specific NIST security controls or safeguards. (There are more than 1,000 that he and others are researching.)
“The challenge is, how do I actually start to approach this problem?” Butcher said of the quandary that agencies face. “Because zero trust is less of a blueprint and more of a design philosophy, there are potentially many ways to implement a zero-trust architecture (ZTA).”
Building on a Service Mesh
Tetrate is a big proponent and implementer of service mesh. Think of it as a foundation for building zero-trust capabilities.
Service mesh is a dedicated infrastructure that provides a way to manage how different parts of an application communicate with one another. This is increasingly important as agencies seek to break down massive applications, such as financial systems, into smaller, usable services that are easier to maintain. For users, that means more seamless updates and added features to systems they rely on.
“Service mesh allows agencies to build a ZTA without ripping and replacing current technologies,” Butcher said. “It also ensures they don’t disrupt how employees work and interact with applications.”
This approach has been instrumental for the Air Force’s Platform One, a centralized collection of software automated tools, services and standards, which is increasingly being used across the Defense Department. The goal is to enable programs to develop, deploy and operate applications in a secure and flexible way.
For the Air Force and others, service mesh streamlines and eases the burden of enforcing security measures across applications. That means empowering developers to think about security holistically.
“As an application developer, you can really start to focus on just the things that add value to your users,” Butcher said. “That’s maybe the single biggest super power that the service mesh provides.”
This article is an excerpt from GovLoop’s guide “Why (Zero) Trust Matters at Work: And How to Foster It.”