Two years following the "Cyber EO" naming zero trust as the security architecture of the future and after one year of implementing the Federal Zero Trust Strategy, federal agencies have made important progress predicting and identifying roadblocks. With the first major deadlines coming at the end of 2023, this year is critical for figuring out how to overcome identified barriers.
Resource Issues
A survey found that 35% of federal CIOs say they have "intermediate or advanced" zero trust capabilities in place, but there are concerns about having the right resources and funding to fully meet administration mandates. Nine in 10 respondents agreed a key step is having a zero trust assessment performed by an outside resource to identify gaps and key focus areas, but contracting and finding funding for this effort is difficult. With this assessment, existing resources can be assigned to the most critical and impactful areas, and the need for additional funding and resources can be prioritized. Funding specifically earmarked for zero trust will be in FY24 budgets. This funding is determined by aligning the work and tools needed across each capability area.
Technical Issues
Log management has been identified as a key challenge in meeting zero trust goals. There is a need to dramatically scale up infrastructure and create applications to collect, store, and analyze log files required to provide the necessary audits and access. This could mean a 40-fold increase in log files as well as additional staff to manage it all. As agencies are examining the steps they need to take to achieve zero trust goals, they are unearthing (not surprisingly) large amounts of technical debt due to the cost of coordinating overall ongoing IT modernization and the new more cybersecurity-focused investments being made for zero trust.
Meeting the Challenge
Agencies are making strong progress toward zero trust as they utilize other modernization efforts. The Navy has introduced Flank Speed, an enterprise cloud environment for daily work. The use of cloud has allowed the Navy to extend zero trust architecture approaches across the enterprise. Flank Speed allows Navy personnel to use systems and applications without a VPN - a major goal of the Cyber EO.
The DoD's Comply-to-Connect (C2C) program is helping bring the Department into compliance with zero trust goals. This approach leverages least privilege principles to ensure visibility into who and what is connecting to systems at all times. This helps protect access to data resources and assets with complete device identification, device and user authentication, and security compliance assessment. This effort is highly automated including moving non-compliant devices through routine security administrative functions.
GovEvents and GovWhitePapers have a wealth of resources to help you stay on top of zero trust best practices.
- 2023 ATARC Zero Trust Summit (March 23, 2023; Washington, DC) - This session will discuss the specific challenges Federal agencies have run into and how they've been able to support their zero trust goals. These include complexity of federal networks, meeting compliance requirements, and collaboration across agencies.
- One True Zero Live Minneapolis (April 5, 2023; Minneapolis, MN) - Separate zero trust fact from fiction. You'll discover lessons your peers have learned in achieving the promise of a true zero trust platform and walk away with practical insights you can share with your colleagues to strengthen your security posture, streamline access to applications, and deliver an optimized digital experience for your hybrid workforce.
- Tackling the Challenge of Operational Technology Security (April 18, 2023; webcast) - Leaders often overlook security measures for operational technology (OT) and industrial control systems (ICS), such as building automation systems, physical access control systems, physical environment monitoring systems, and implementing a zero trust architecture. Thought leaders in government and industry will discuss the steps that agencies should take to protect their OT.
- Zero Trust Implementation (April 20, 2023; virtual) - Although the principals of zero trust are widely accepted, implementation is a detailed and time-consuming process. This virtual workshop will focus on the 'How To' of implementing zero trust and the associated lessons learned to date.
- Lessons Learned from Maturing Zero Trust (white paper) - To assist agencies in moving beyond the planning and initial deployment of zero trust, ATARC hosted a roundtable to discuss the shifting scenario of zero trust in light of the new requirements. Read about the insights, suggestions, and feedback from government experts who discussed their planning for and progress.
- Application Security Framework for Zero Trust (white paper) - As best practices suggest, using a hybrid approach where prescriptive access policies are enforced by default but are given less weight individually as behavioral information for a specific user is the most effective. Learn how to apply these in line with zero trust architecture.
Explore how agencies are meeting zero trust goals on GovEvents and GovWhitePapers.