The pandemic has completely rearranged day-to-day operations and rendered the traditional perimeter more or less obsolete. In turn, many federal agencies have accelerated their efforts to implement a zero-trust architecture (ZTA). The Department of Defense has been particularly vocal about the potential for ZTA to improve security in the wake of increased remote work, but has also expressed concerns about how to manage it.
Zero trust is a journey, though, and manageability indeed should be part of it. In some sense, the government has been doing “zero trust” for decades, but in an extremely segmented manner. To make it more operational, agencies should first focus on consolidating identity solutions. Doing so enables behavioral analytics, which keeps security tight while preventing friction in the workplace.
The trouble with segmented “zero trust”
Historically speaking, zero trust has simply referred to microsegmentation of firewalls and the occasional enclave that requires authentication. With such a setup, IT pros have no idea what users are doing within that enclave, much less when they come back out. Each enclave stands alone, with its own authentication system. The agency only understands bits and pieces of the users, while an overarching operational view is lacking.
The DoD isn’t the only agency struggling with a segmented version of zero trust; the Navy and Air Force also have so many authentication systems through Active Directory that it can create opacity in getting a grasp on individual users. Even with a Common Access Card, all the logins are separate on the backend; users have different passwords for multiple systems. While IT pros know what a person is allowed to access, they don’t know what is actually being accessed.
Similarly, many agencies are relying on hundreds of thousands of firewall rules to grant or deny access from one enclave to another. A far better approach is to rely on behavioral analytics, which uses a risk score to make access decisions. Having a centralized list of identities is the first step to successfully implementing behavioral analytics.
New insights, not just new technology
With a centralized list of identities, agencies can understand who is accessing data — the beginning of any zero-trust journey. Then, they can move onto figuring out what data those users are touching.
The operations piece is in the middle — the question of how they are getting access. All of this information can be fed into a behavioral analytics tool for ongoing authentication beyond a single segment. In turn, access is managed far more granularly: by user, device and the data they’re requesting to access.
Getting to this level of granular, continuous security is not about buying one single solution. Far too many agencies start with a piece of technology — whether DLP or CASB — when they should start with bigger picture questions, such as: What do users need to stay connected and do their jobs? Then, business strategy should inform a governance plan to understand where the required data is, where users are going to access it, and how the agency can stay compliant as they do.
Deploying a new piece of technology doesn’t necessarily make an agency more secure; what matters is what insights an agency gains from the new tech. There’s sometimes a belief with regard to security of “the more the better.” But just because an agency has more threat intelligence coming in, that doesn’t mean it has learned anything from that information.
In fact, threat intelligence may actually have the agency too focused on what’s happening outside, while neglecting threats that exist inside its environment. Ultimately, everything relates back to users and data. Behavioral analytics, which is really internal threat intelligence, is what ties the two together.
The bottom line
When agencies look at how they lose data or get attacked, the reality is that it often happens because of something a user did accidentally. In the new age of remote work, agencies need a zero-trust approach, which includes monitoring users and how they interact with information.
If a sensitive file was shared externally, for instance, that file could be automatically encrypted to prevent unauthorized viewing. Similarly, if someone was downloading more data than could fit on the person’s laptop, that could be scored as high risk and automatically get blocked. It’s far better to block such internal threats in real time versus waiting six months for a massive data spill.
Once again, though, zero trust is a journey, not a switch to be flipped. Short term, agencies should focus on consolidating identity solutions in order to enable behavioral analytics. This will ensure that zero trust actually allows new insights and better security long term — not just the deployment of new technology. Only by thinking about the big picture will agencies like DoD be able to ensure their new architecture is both operational and effective.
Petko Stoyanov is chief technology officer for global governments at Forcepoint.