Best practices for enabling zero trust in a government agency

If we go back even just a few years, securing users, applications and data that an agency used was relatively straightforward. Users were tied to their desks and applications, and data resided in a data centre inside the agency, writes Or Katz.

Or Katz

Security was all about building a strong perimeter defense to keep the attackers out and keep agency data from being compromised or stolen. For the users who needed remote access, deploying a VPN solved that need.

The security mantra was very much about trusting a user and device because it was “inside” the network, and granting network level access based on that fact. Inside = good. Outside = bad.

But everything has changed. Users are no longer tied to their desks, and they now need access to applications and data no matter where they are and irrespective of the devices they use.

It’s not just agency employees who need access to agency applications and data; there are contractors, temporary employees, vendors and other third parties who need that same availability of access.

Applications may still be located in the agency data centers, but apps are increasingly hosted on one or more public cloud services, and Software as a Service applications are being adopted by agencies to help accelerate the modernisation of services.

The agency perimeter has evolved, and employees are now segmented into different user groups with different accessibility needs. Users are accessing applications that are no longer considered inside the perimeter of the agency.

Trying to apply agency security controls using the methodology and tools that worked in simpler times is a very bad idea.

Security that was built up over the past 20 years using stacks of security boxes has become so complex to manage and is now so fragmented that it appears relatively simple for the bad actors to infiltrate a network and remain undiscovered for months — and in extreme cases, for years.

Shift in the cyber threat landscape

This is evidenced by spates of attacks aimed at the Victorian Government, Queensland and South Australian healthcare systems, and even Parliament House. The government is aware that the cyber threat landscape has shifted and evolved dramatically in recent years, and as such, is in the process of consulting with experts and industry to develop a new cyber security strategy for the coming years.

One of the critical areas that government should look at first is implementing a zero-trust model within all agencies. While not a new concept, zero trust was first suggested as a concept by an analyst group from Forrester Research in 2010. It has now started to gain significant traction.

So, what is zero trust? In a nutshell, zero trust assumes that every user, every server and every request is untrusted until proven, and that trust is continuously and dynamically assessed every time a user or device makes a request to access a resource.

It does not matter where the user is located, what devices they are using, if the resource is in a data centre or is hosted on Infrastructure as a Service (IaaS) Each transaction is suspicious until proven otherwise. This approach no longer relies on the trusted perimeter; in fact, the perimeter no longer exists, and there is no longer an inside or outside.

However, completely transforming to a zero-trust security model is not something that can be done overnight. The reality is that this is likely a multiyear strategic transformation project, as it takes time to implement these types of major network and security changes. Below are three tactical actions that agencies can take as a way to start their zero-trust transformation.

  1. Move from network access to per-application access. Giving full network access increases an organisation’s attack surface, exposing the network to more threats and making it easy for bad actors to move laterally when they gain access. Access should be restricted to the applications users need to do their jobs; if they only need access to HR apps, then why should they have access to finance apps? Start with apps that are easy to transition — for example, web-based applications or new apps that are being rolled out. Then conduct a zero-trust assessment to help develop a strategic plan to move from an agency’s current state to a zero-trust framework. The assessment would typically include profiling users and applications (who needs access to what) and reviewing the agency’s current security architecture. The plan should have a phased approach to moving all applications, including the agency’s legacy on-premises apps to that new framework.
  2. Eliminate your VPN for specific user groups. A zero-trust security framework requires that the agencies’ users stop trusting their endpoints implicitly and work to decommission legacy access — including VPN and privileged corporate Wi-Fi/Ethernet segments. Start by provisioning access based on user groups and roles, especially high-risk user groups such as contractors. Apply policies that couple roles to relevant access applications, which helps to reduce attack interface in the case of compromised devices.
  3. Start to reduce the complexity of your existing security stack. A traditional perimeter usually consists of numerous hardware or virtual appliances for access control, such as VPN appliances, identity providers, single sign-on and firewalls, and secure web gateways for application delivery and performance. Once the agency adds in redundancy and regional deployments, that can add up to a huge number of appliances that need to be deployed, managed, maintained and (let’s not forget) patched. One approach to move from the traditional perimeter is to move to cloud-based security solutions. Start with integration of smaller locations where, instead of backhauling traffic to the agency’s central site for inspection and control, they could send some or all of that traffic direct to the internet via a cloud-based platform. That allows the agency to reduce the complexity of security at those smaller locations and to reduce the cost of backhauling traffic over expensive multiprotocol label-switching links.

The three key points to consider for transformation are controlling users’ access to agency assets and applications; using segregation by user groups, gradually reducing full access for an agency’s network when it is not necessary and eliminating VPN services to reduce threat surface; and monitoring agency entities and devices to limit authenticate access.

It’s not an easy task for agencies to completely transform into a zero-trust architecture; it’s a process that requires planning and careful execution. Yet with the evolving threat landscape – which has seen numerous pieces of data stolen, passwords reset and investigations launched – agencies have no choice but to pursue and adopt these changes.

*Or Katz is Principal Lead Security Researcher and Head of Research for Enterprise, Akamai

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required