Governments, at all levels, face enormous pressure to provide innovative, seamless experiences for public servants and citizens while also safeguarding highly sensitive data. However, the public sector often lags behind the private sector’s digital transformation pace, likely due to protracted budget cycles and rigid procurement practices.
Trying to provide a positive user experience for end-users with outdated or inadequate technology, contributes to far more complex network infrastructures. Vendor and solution sprawl, coupled with workarounds built to get disparate systems to work together, make visibility an increasing challenge, and at the same time, create an attractive target for cybercriminals. Worse, these workarounds often need to be reconfigured every time a system requires an upgrade, which leads to overworked security teams or networks in desperate need of upgrades.
To establish and maintain cybersecurity best practices and still enable digital transformation, public sector CTOs and CIOs should consider a Zero Trust Access (ZTA) approach as a long-term goal and begin now by adopting necessary interim steps.
Why Zero Trust?
In a traditional network, users and devices within the network perimeter are often implicitly trusted, allowing some degree of lateral movement across the network that unauthorized or compromised users and devices can exploit. ZTA, on the other hand, assumes that every device, user, and application attempting to access the network constitutes a potential threat, whether connecting from inside or outside the network.
ZTA starts by requiring multi-factor authentication for all users and devices seeking access to network resources. Devices are subject to scrutiny based on the type of device, OS version, installed patches, and updated security tools, while users are subject to contextual policies such as location, time of day, role in the company, and more. And once authenticated, access is restricted to only those resources needed to perform their job (least access privilege), while all traffic is logged, inspected, and monitored throughout the entire session.
ZTA offers a compelling solution in the face of today’s multi-edge distributed networks, new hybrid work models, and the increasing frequency and severity of cyberattacks. It enables granular control over who and what is on the network at any given moment. However, providing access to the resources needed to support remote workers and ensure optimal user experience, requires levels of visibility and control that can be a challenge for public sector organizations, due to hardware and software requirements and necessary business process changes.
Fortunately, Zero Trust is more a philosophy than a network architecture. Many organizations will find it possible to leverage their existing infrastructure to initiate many aspects of a ZTA implementation. Further, an incremental approach as part of a larger strategic plan could be an attractive option for the public sector, allowing them to deploy protections and controls over time. With that in mind, here are a few ways leaders in the public sector can start preparing for ZTA today:
While Zero Trust is widely recognized as an industry best practice, many organizations have been slow to implement it. However, this has led to a shocking increase in ransomware attacks — fueled in part by having to provide broad access to critical resources to remote workers without proper access controls in place.
So, while mapping a path to ZTA, it is critical to first understand the risks of accessing critical data, applications, and other resources. And second, understand and assess organizational goals so decision-makers can prioritize how to evaluate, select, and introduce the processes and tools required. Public sector IT security leaders must ensure organizational buy-in by communicating the strategy behind ZTA and its benefits, as well as the risks it is designed to address. Without organizational buy-in and participation, implementation could meet with resistance.
The next step involves identifying any sensitive data and assets that need to be secured. Understanding what resources, data, and applications are on the network and what individual users should or should not have access to, is a critical but time-intensive step that organizations should take now—whether or not ZTA is implemented. The information gathered will help to develop policy and governance components essential in any organization, especially when planning a full ZTA implementation down the road.
Focus on Identity
Identity is another fundamental part of a ZTA implementation. Many organizations have already adopted multi-factor authentication, putting them on the road to Zero Trust. However, ZTA requires authentication at many points and identity federation with cloud and on-premises systems, ideally aided by real-time machine learning (ML) or artificial intelligence (AI).
For those organizations pursuing ZTA, a reasonable interim goal should focus on intent-based segmentation, which interprets business and security requirements and then automatically applies a specific segmentation policy to protect and isolate workflows and applications. Intent can also be defined by creating internal network segmentation based on rules for particular sets of users.
Additionally, the discovery and identification of all devices on the network—whether a laptop, phone, network server, or IoT device, whether a printer or security camera—gives security teams the insight they need to establish baselines and apply proper access controls. Network access control solutions that support data collection can help provide the visibility required to identify and monitor all devices seeking access to or already on the network. Integrating those controls with next-generation firewalls (NGFWs) can also help enable intent-based segmentation.
Plan for the cloud
As organizations look ahead, cloud technology offers several key benefits for public sector ZTA implementation: security, resilience, efficiency, cost, and service availability. Further, cloud solutions often provide technologies like AI and machine learning (ML) which can ease IT teams’ workloads by helping manage the continuous validation and device monitoring required by Zero Trust. And for applications residing in the cloud, Zero Trust Network Access (ZTNA) is an easy and affordable way to provide secure access to remote workers. It is also another step along the path to full implementation.
ZTA is coming. The best approach is to prepare now For the public sector, Zero Trust Access is just a matter of time. While full implementation may still be down the road, organizations should take steps now to prepare. This list of interim measures can help make the task seem less daunting because it takes advantage of existing network elements, like multi-factor authentication and easy-to-deploy technologies like ZTNA. By focusing on these critical areas, public sector organizations can improve their overall security posture by simply working with what they have and then adding Zero Trust capabilities over time.
Working your Way to Zero Trust in the Public Sector
Reforms, Election and Cyberspace
Immunity passports, a looming election, digitizing, and diversity
Leadership, Strategy and COVID-19 vaccines
Zero Trust with Zero Nonsense
Digital transformation is accelerating with key shifts such as the expanding Hybrid Workforce and the continued migration of applications and…
Canadian financial inclusion in digital payments
In this episode of CGE Radio, hear about digitizing government payments. Robert Hyde, CEO at Payment Source and Jennifer Tramontana,…
Accomplishment: Sir Michael Barber delivers on his new book, government and how to achieve challenging things
In this episode of CGE Radio, we catch up with Sir Michael Barber to discuss his new book, the state…
Work-integrated learning: Empowering the future of Canada’s workforce
In this episode of CGE Radio, we will get into work integrated learning. We will talk about what works and…