Zero Trust is Difficult to Deploy, but Vital for Agencies

Presented by CDW-G CDW-G's logo

For U.S. federal government agencies, it’s a Presidential mandate they have to deploy a zero trust cybersecurity architecture, but how broadly and cost-effectively has to be a big part of their plan.

The zero trust model has been gaining momentum in the government in the last few years. It got a particularly strong boost with the White House’s May 2021 executive order to improve national cybersecurity. That order mandated all federal agencies develop a plan to implement zero trust architecture, based on the migration steps outlined by the National Institute of Standards and Technology (NIST) within the Department of Commerce.

The push toward zero trust—the concept that users and devices should not be trusted by default, even if they were previously verified—could not come at a better time. Many employees still work remotely or in a hybrid model, using their own devices and networks to access networks. Cloud services usage continue to rise within government, as does demand for digital transactions. Meanwhile, cyber threats such as ransomware are getting increasingly sophisticated and costly.

All of this adds up to more risk for agencies, and the need to be especially vigilant about the identities and authentication of users trying to get access to systems and data. That’s where zero trust can make a big difference. The model is particularly important for cross-domain access, including restricting access to highly secured systems.

Access is Everything

One of the biggest security challenges agencies face is controlling who has access to what information, said Peter Dunn, Chief Technology Officer Federal and Robert Smith, senior manager of professional services at IT services provider CDW-G. Individuals who think they need to access certain information to achieve a mission, but are blocked by policies, try to circumvent security provisions, Dunn said.

“When it comes to the security of any solution, the user is your weakest link. You could put in the best [tools] and the right policies, and you’re still going to have to worry about the user,” said Dunn.

Because a key component of zero trust is managing identities, the model can help organizations ensure that only qualified users have access to data resources, including cross-domain access.

Identity is a difficult article to manage, however. Many security programs assume that if they have Microsoft Active Directory or another application, that will provide the identity assurances they need to protect their networks. “The problem is, they don’t just need identity,” Smith said. “They need the identity, the credential and the access management, and they all work hand in hand with one another.”

One portion of a solution provides identity management, while another provides credential management, and still another provides access management, all while ensuring that there’s federation between all devices and components and enforcing governance and policies that are required, according to Smith. “It comes down to we don’t trust anything. It’s a constant cycle of revalidating and ensuring that trust is always there,” Dunn said.

Cross Domain Solutions

Agencies might face other challenges when it comes to adopting a zero trust model, Smith said. For one thing, there are the budgetary restraints that can keep agencies from deploying tools and services needed for zero trust. For another, there’s the complexity of implementing these tools and services into existing environments.

Following the executive order, when agencies realized they needed to improve security to meet the mandate, “the biggest problem was everybody believed zero trust was an easy-to-implement methodology,” Dunn said. “But zero trust is not just a matter of buying some new hardware and software. It’s not only the addition of items to the network or policy changes, it’s a mindset change for the way things operate.”

CDW-G is working with more than a thousand industry partners to build and implement technology solutions that support secure cross-domain access in a zero trust environment.

Over the last year or so, “the biggest hurdle for our industry was educating our federal customers and partners alike, so that they could see what zero trust really looked like,” Smith said. Many agencies want to shift to zero trust on an aggressive timeline, when what’s really needed is a methodical approach of implementing it in phases, he said.

Part of the education process involves explaining how zero trust can work for cross-domain access and what tools and policies are needed.

“Unfortunately, when it comes to zero trust commercial cross-domain solutions provide a portion of zero trust; they don’t provide the whole thing,” Dunn said. “When you’re looking at cross-domain solutions, it also takes the implementation of proper policy, risk management and governance, proper authentication mechanisms and authorization mechanisms, and the constant reminder that nothing on the network is trusted. The difference between normal cyber security and zero trust policy is that zero trust automatically assumes that everything is bad and we don’t trust anything until it’s been completely validated.”

CDW-G is working with more than a thousand industry partners to build and implement technology solutions that support secure cross-domain access in a zero trust environment.

Holistic Solutions

By deploying leading tools and services from a variety of vendors in the market, government customers can get “the latest and greatest in each one of the avenues, from endpoint devices to storage capabilities to security analytics to network monitoring,” Smith said. “One of the benefits of CDW-G working with its partners and its customers is we’re a trusted integrator for the NSA [National Security Agency], so the commercial solutions for classified [data] were already approved and on the list by the NSA.”

These solutions have already been deployed by many customers within the government, Smith said. CDW-G also has a capability called Enterprise Security Management Infrastructure. This is essentially a security suite coupled with support services to provide federal agencies with a platform that can not only monitor what’s going on currently from a security standpoint, but predict what will happen in the future.

Beyond technology tools, “we have individuals who can assist customers with developing policy adhering to governance and making sure they are staying ahead of the threats that are coming out,” Dunn said.

Perhaps the most important thing to keep mind as agencies move to a zero trust security model is that no one technology tool, or policy change or process shift will make an agency a “zero trust organization.” It requires a dramatic change in thinking about security at all levels of the organization.

“They can’t just go and buy another piece of hardware or software,” Smith said. “Zero trust is a holistic solution that needs to encompass all of the facets of their networks, governance, policies etc.”

Many government agencies might already have 60 per cent to 80 per cent of the technology that’s required to implement zero trust, Smith said. It’s just a matter of realigning existing tools with other pieces that might be missing and creating new policies to enforce the zero trust model. But even if an organization already has most of the tools it needs, that doesn’t mean getting to a full zero-trust state will be simple.

“Zero trust is not convenient; it is going to take time and it’s going to take effort,” Smith said. “You have to evaluate how everything is going to interact with everything else.”

This content is made possible by our sponsor CDW-G; it is not written by and does not necessarily reflect the views of FCW’s editorial staff.

NEXT STORY: Identity: The First Pillar of Zero Trust

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.