What a successful federal zero trust implementation looks like
Gettyimages.com / Sarayut Thaneerat
Beau Hutto, vice president of federal at Netskope, lays out three major steps for companies to take for themselves in zero trust before translating those benefits to their customers.
The new White House executive order on cybersecurity has been positioned by the administration as a means to promote cyber innovation while increasing protection against foreign adversaries and criminals.
While the EO aims for a less prescriptive approach to cybersecurity relative to orders by previous administrations, the zero trust framework will remain an essential component of cybersecurity for the federal government.
For example, the Department of Defense has recently doubled down on its commitment to the Cybersecurity Maturity Model Certification initiative. Contractors who have successfully navigated the CMMC journey have found that the key to achieving certification grew out of the adoption of an optimized zero trust network architecture.
Consequently, it will remain essential for those companies to have implemented zero trust and immediately translate those benefits to client environments.
Streamline your processes
This step begins by integrating with your tech stack. Simplification of management represents a critical step toward a zero trust architecture. To that end, use a platform for zero trust that can work with any workload or application. For example, integration with the firm’s human capital management system makes it easier to decide what access each employee should have.
Make it easy on the auditors by using tools that bring together all the relevant compliance data in a way that makes it easy to display to auditors. In the case noted above, auditors told the contractor that one portion of the CMMC assessment that normally takes a day and a half to get through was achieved in 45 minutes simply due to convenient data displays.
Maximize technology
Leveraging the cloud is crucial. High-performance security cloud platforms enable organizations to deploy security at the network edge wherever and whenever needed.
When modernizing zero trust controls for long-term efficiency, organizations should avoid replacing their legacy security with the next generation of the same technology they had before. It is critical to evolve to services built within a SaaS-based, single-pass architecture, creating the ability to move security controls to a cloud-based security stack that allows the organization to move away from legacy on-premise hardware with no strings attached.
Secure the organization
When managing policy decisions and enforcement, use tools for secure zero trust access to private apps rather than virtual private networks (VPNs) to streamline management of policy decision points, the point at which the network evaluates whether a user has permission to access a certain resource.
Also place focus on policy enforcement points, which either permit or prohibit users access to those resources. These points are fundamental to successful zero trust implementations.
Data protection tools must be used and maximized. Protect endpoint devices to enhance visibility, transparency and understanding of the organization’s security posture. Visibility to endpoints and data in transit enables contractors to make, finetune and enforce effective policies.
Select tools, such as Data Loss Prevention (DLP), work in the background to enable employees, consultants and partners to operate securely but without the digital friction security can create in a traditional IT infrastructure.
Strong and clearly-defined service level requirements for availability result in more reliable platforms.
Contractors that handle sensitive data for government agencies must comply with the highest cybersecurity standards in order to remain eligible for contracts supporting mission-critical federal programs. That means adhering to the National Institute of Standards and Technology (NIST) 800-171 guidelines for protecting CUI in non-federal systems and organizations, as well as DFARS regulatory clauses for safeguarding DOD information and cyber incident reporting.
Consequently, contractors must prepare to ensure compliance with stringent cybersecurity requirements in order to maintain and grow their business with the DOD as well as other federal agencies.
By implementing a zero trust network architecture, contractors can smooth the path to compliance.
Beau Hutto is the vice president of federal at Netskope.