During the pandemic, federal agencies shifted many of their operations to distributed networks in support of remote work, and that trend has continued. The change enabled work to continue, but it also created new cybersecurity challenges.
As agencies embrace new ways of working, including remote and hybrid models, the attack surface expands exponentially. New vulnerabilities are introduced, increasing the likelihood of a data or security breach. Government and contractor personnel who access mission-critical IT networks, data, applications and other confidential information from countless sources and devices create new opportunities for security threats and attack vectors to emerge.
In a hybrid or distributed working model, government organizations may have limited control over which networks and devices their employees are using to access data and systems.
Perimeter defense was the best offense
Historically, federal agencies have guarded against cyber threats with a traditional on-premises strategy. Most of the people, hardware and networks were on-site in agency facilities. This provided one castle-like location with walls (firewalls), a moat (a subnetwork called the demilitarized zone or DMZ that isolates outward-facing services from the rest of the organization’s network) and a drawbridge (access control).
In this scenario, security tools such as firewalls and anti-malware treated anything outside the organization’s perimeter as bad, or at best, risky. Everything inside the network was considered trusted. Called the perimeter defense model, it was effective in the days before remote work became prevalent.
In today’s hybrid world of work, a perimeter defense approach is past tense. With employees working remotely, their organizations must establish contextual relationships with them and ensure they are who they say are. An employee’s home network or a public Wi-Fi connection is much harder to secure than the office network. Tools such as virtual private networks (VPNs) help, but there are still many variables with which cybersecurity professionals must contend.
How zero trust combats complexity
This new environment is borderless and complex, which calls for principled and comprehensive approaches. Zero trust is critical to securing the hybrid workplace.
The guiding principle of zero trust—to “never trust, always verify’’—calls for organizations to always authorize and authenticate, use a least-privilege paradigm, reduce attack surface and assume breach. When organizations adopt the zero trust mindset, they commit to protecting workers and their data. Zero trust puts all-day, everyday enforcement of agencies’ access policies into practice. The right people access the right resources using the right devices and applications.
Attackers are stymied at every turn in a zero trust network. For example, if the threat actor can work around user authentication, the system will still deny their unrecognized device. The principle of least privilege limits employee behavior, too; employees can access all of the resources they need, but none of the ones they don’t, providing a safeguard against insider threat.
Beyond security—more benefits of zero trust
The zero trust network architecture also supports the critical requirements for compliance auditing and monitoring. It improves oversight through visibility into user activity, device access and location, credential privileges, application states and other key factors with dynamic monitoring. Additionally, it provides more data on specific network resources that have or have not been breached. Leveraging all of these data points is important for maintaining security and protection.
The zero trust journey is part of a wider conversation about the new hybrid workplace. Zero trust impacts all employees in many ways, including changes to how they work and access to data, and changes in security learning curves. This highlights the importance of linking the benefits of hybrid work and security improvements, versus maintaining the status quo of yesterday’s perimeter security mindset. As federal agencies continue to adopt remote and hybrid work, clear communication and engagement with employees and third-parties enable the transition to be shared experience of re-defining work and productivity.
For many agencies and government organizations that fully embrace remote and hybrid work, zero trust is no longer optional. Its time has come.