Zero Trust

5 Zero Trust Best Practices for Federal Government Networks

Avatar photo
Post author:Written By

For federal government agencies who are beginning to implement zero trust cybersecurity frameworks for their IT networks, it is critical to understand that the architecture should be based on the idea of “never trust, always verify.” This means that every entity inside or outside a government agency network is never implicitly trusted. Zero trust is a bit of a departure from the traditional perimeter-based security models of the past. As a result, moving towards a zero trust architecture environment where continuous verification and authentication is the norm can present government agencies with a bit of a challenge. Consider the following essential zero trust best practices to guide policy decisions and network architecture for your government agency.

Main Principles of Zero Trust

According to the National Institute of Standards and Technology, there are several key principles that make up zero trust architecture.

  • Applications, infrastructure and data sources are classified as resources.
  • Location of network communication doesn’t mean trust is granted. Communication should be secured from both agency-owned and non-agency owned networks.
  • Access is granted to users after authentication, on a per-session basis and permissions given based on least privilege.
  • Assets, users and services are monitored and take into consideration identity, behavior and environment before granting access.
  • Robust monitoring and recording of devices and applications offers actionable data about the current state of resources.
  • A constant cycle of authentication across identity, credentials and access management is strictly enforced.
  • Information about the current security posture is constantly collected and evaluated for future improvements.

Why you should implement zero trust architecture

Many government agencies often follow a perimeter-based or “defense-in-depth” model of security. This means that once a user or device has been granted access to a network, they are implicitly trusted, and their actions are not closely monitored.

However, with expanding attack surfaces, the traditional perimeter-based approach is no longer an effective solution to prevent breaches.

Zero trust architecture reduces the risk of breaches by asking all identities, devices and services on a network to authenticate and verify before granting access, and only allowing access to resources based on least privilege.

Zero Trust Best Practices

Zero trust can look different across government agencies. However, in general there are a few key zero trust best practices to keep in mind that should help when implementing this architecture.

  1. Understand current device, user, identity and services architecture

Mapping out current infrastructure is key to fully understanding the scope of an agency’s devices, data, user identities and third-party services. Who are the users? What devices are they using? What applications are they using? What kind of data are they accessing?  Without an understanding of users, device endpoints or services and data they are accessing, it becomes much more difficult to determine a government agency’s full potential attack surface.

The goal of any zero trust architecture is to strike a balance between increased security and frictionless usage for users. Once the full scope of the agency’s architecture is identified, it becomes much easier to assign risk scores and thresholds for certain behaviors.

  1. Establish strong identities

Every identity allowed on a government agency’s network should have a traceable identity associated with it, and shouldn’t just consist of the traditional admin super user and agency user. There are a variety of user types across government agencies that all require different levels of access to organizational resources. Establishing strong identities offers an avenue to authenticate and verify that users are accessing resources in accordance with set policies and permissions. This verification can be done in a variety of ways, including by using unified identity management systems.

In most cases, access should be granted based on the user’s identity, the context of the access request, and the risk score of the access request. Policies should be created and updated to reflect a user’s role, specific access needs and the context in which the user is accessing an asset. On occasion, additional verification is needed to ensure that the user is actually who they say they are. In these cases, access layers such as multi-factor authentication (MFA), biometrics or additional certification are necessary.

Beyond extra steps to verify user identities, authorization policies should be dynamic to adapt to changing circumstances, and leverage “just-in-time” privilege elevation.

For example, if a user requires temporary elevated privileges for a specific project, then those privileges could automatically expire and remove permissions when that project ends. Zero trust architecture allows for granular authorization rules that can respond to these types of necessary changes.

  1. Monitor and audit

Monitoring and auditing activity is required to keep tabs on how devices, services, identities and data interact within an agency’s network and offers an opportunity to notice potential threats. However, the best way to spot a counterfeiter isn’t by looking at counterfeits. The best way to spot a counterfeiter is to know all the minute details of what is actually real.

In the same vein, if an agency doesn’t know what normal activity looks like, it becomes even more challenging to identify malicious activity. Monitoring and auditing traffic and keeping tabs on how devices, services, identities and data interact is one of the most effective ways to detect anomalous activity.

Monitoring deviations of baseline of expected behavior helps indicate when something is wrong. Real-time threat analytics and pattern analysis help to correlate device activity with network events, and are constantly evaluating whether that activity lines up with expected behavior and defined security policies. These tools give government agencies context to detect anomalies and help catch suspicious activities.

  1. Use network segmentation

In a traditional perimeter-based approach to security, once a user has been granted access to a network, they have permissions to move laterally through internal networks without the need for additional verification. In this security model, once an unauthorized user gains access through one network, they can potentially access lateral data and applications without too much trouble.

In a zero trust environment, network segmentation can limit the amount of damage an unauthorized user could potentially do in the event they gain access to an organization’s network.

Network segmentation isolates different applications, data and networks to individual spaces with limited entry and exit points, making it much harder for unauthorized users to move laterally to access additional information.

Defined security controls within a segmented network make breaching a network a much more challenging and less enticing task to would-be attackers.

  1. Organizational responsibility

At the end of the day, zero trust is an entire organization’s responsibility, and internal policies and activities must work in concert with any implemented technology.

For example, when somebody leaves an organization an automated immediate policy could have someone responsible to verify that that user no longer has access to systems. Sure, unified identity management systems can take that action automatically. However, someone after the fact should attest and review to ensure that access is no longer there. Whether that happens within 24 hours or two days later would be determined by organizational policy.

Though technology is often a main focus for organizations first pursuing a zero trust security strategy, successful implementation requires cooperation from every department. Though many may prefer to try and silo “zero trust” into IT, every department including operations, HR and management all play a part in maintaining a secure zero trust environment.

Transitioning to a zero trust environment can be a challenge. However, these zero trust best practices are highly recommended steps in an ongoing and evolving process. By starting out with these zero trust best practices in mind, your organization is equipped with a roadmap to successfully protect against potential breaches.

Tags: , , , , , , , , , , ,

About the Author

Chris Roberts

Chris Roberts is a seasoned technology leader with over 25 years of experience in the industry, having held various engineering and sales roles at market-leading companies such as Microsoft, Dell, and Quest Software. Currently, he serves as the Director of Federal Sales Engineering at Quest Software Public Sector Inc., where he leads a multi-disciplinary team of IT professionals. Their mission is to support governmental agencies with comprehensive software solutions around Zero Trust, securing Active Directory against unwanted intrusions, managing privileged access, and providing advanced recovery and governance tools. Previously, as a Senior Solution Architect at Quest Software, Chris focused on building and delivering innovative solutions for IT operations in enterprise customer environments. His expertise lies in modernizing legacy workloads and specializing in performance analytics for large-scale applications in both private and public cloud spaces. At Microsoft Corporation, Chris held roles as an Architectural Engineer and Principal Technology Specialist. He was instrumental in driving the introduction of technologies considered the standard in enterprise IT today while driving customer sales and success programs, delivering comprehensive technology roadmaps, and leading competitive opportunity management. Chris studied Computer Science and Marketing at the University of Maryland and Andrews University. His specialties include public speaking, enterprise software architecture, virtualization, cloud analytics, identity management, and technology management, among others. His track record of success, combined with his extensive knowledge and skills, make him a credible voice in the technology industry focused on solving challenges within the federal government.

Related Articles