It’s time for the public sector to embrace zero trust

By: Randy Johnson

Earlier this year, a series of cyberattacks on US federal agencies exposed the vulnerabilities of traditional security approaches.¹ The incidents showed that conventional perimeter-based models can’t effectively combat modern cyber threats.

In response to the evolving threat landscape, the Biden administration has taken significant steps toward implementing a zero-trust security strategy for US government agencies. Executive Order 14028 mandates the federal government’s adoption of a zero-trust architecture.² By 2024, US governmental agencies must modernize their data platforms and leverage AI and machine-learning technologies to enhance their cybersecurity capabilities.

Several programs have been funded to catalyze these technology upgrades, such as The Infrastructure Investment and Jobs Act. The act allocates USD $1 billion to The Cybersecurity and Infrastructure Security Agency (CISA) to support zero-trust adoption. Additionally, the Department of Homeland Security is offering USD $100 million in grants to aid small businesses in fortifying their security postures using zero trust.

It’s a watershed moment for the public and private sectors alike to invest in the technologies needed to digitize services, bolster cybersecurity and resiliency, and modernize the US infrastructure.

Whether your team will tap into the funding opportunities or simply look to amplify a zero-trust strategy overall, I offer the following steps to start:

• Take stock
• Shrink your trust zone
• Capitalize on existing capabilities
• Automate and unify

Take stock of the challenges ahead

Digital transformation efforts within the public sector often meet challenges that slow their momentum, increasing both cost and risk.

Some agencies still use legacy computing technologies that are decades old and incompatible with zero trust. Meanwhile, a few are even reducing their use of cloud computing and services.3

Though accelerating federal use of cloud computing would better serve the national infrastructure—and is critical to zero-trust implementation—working towards this goal can result in stalemates. In particular, many teams struggle with a shortage of skilled professionals who can shepherd this transition.

These are, in many ways, the challenges of any zero-trust journey. Zero trust isn’t just about redefining security measures; it demands a profound organizational and cultural shift. And for a successful implementation, these shifts must be addressed head on.

Shrink your trust zone

When any agency, regardless of its size, embarks on a zero-trust journey, it begins with a change in overall approach—that so-called cultural shift. In the public sector in particular, this transition chiefly involves moving away from traditional security models.

In legacy security architecture, enforcement is usually pushed to the perimeter, often resulting in vast ‘trust zones’ with multiple critical assets clustered together. Such arrangements leave assets vulnerable to lateral movements if—or rather, when—a threat actor is able to breach the outer defenses.

For teams in the public sector, this architecture is especially problematic due to the confidential, sometimes highly classified nature of its data. The industry, in fact, has a troubling track record of intruders accessing one part of an organization, only to then tap into information well above their clearance level. Such was the case in 2019, when a contractor was able to gain access to and abscond with no less than 50 terabytes of government files from the NSA.⁴

Working towards an approach that will better protect agency assets—whether classified or not—therefore starts by looking at how to enforce decisions as close as possible to the asset you are trying to protect. This approach will help your organization shrink the trust zone, ensuring that sensitive data remains accessible only to authorized individuals.

Capitalize on existing capabilities

Agencies shifting to a zero-trust approach will need to leverage as many security capabilities as possible within their existing architecture. This system-wide coordination effort is a key step toward better identifying unusual behaviors (day-zero attacks) that otherwise would have been impossible to detect. It also can help teams make smarter decisions based on a more complete picture of their security systems and, critically, reduce upfront costs.

As I mentioned earlier, zero trust demands a profound organizational and cultural shift. Through an implementation strategy that capitalizes on existing capabilities, however, you can effectively enhance security and minimize the potential for security breaches without starting from scratch. This strategy helps ensure that previous investments, expertise, and operational practices are not discarded, but rather are integrated into your new security paradigm.

What’s more, this approach can also deliver a more natural, efficient transition that prioritizes cost efficiency, a secured knowledge and skills base, and the preservation of a positive organizational culture throughout the change process.

Automate and unify your new architecture

To continue supporting your operation, your zero-trust architecture needs to operate in the most efficient and agile way possible. To achieve this, automation, orchestration, and unification are key.

In the last few years, the public sector has made some progress with security automation. However, this automation is very limited and primarily focused on reactive response. For example, say an organization’s security operations center has decided to onboard security, orchestration, automation, and response (SOAR) technology. In the event of an alert, SOAR can automatically direct the team to the right triage or resolver group using defined playbooks.

Capabilities like this one mark a positive step in the right direction, but the scope of use is still very limited. Seen another way, this limitation means the opportunity for growth here—especially when it comes to preventing incidents before they happen—is huge.

As organizations and agencies advance on their zero-trust journeys, their strategies should evolve towards continuous monitoring and employing AI and machine learning for enhanced security.

For some teams, this step is where additional approaches such as cybersecurity mesh architecture (CSMA) or cyber fusion might come in.

Both strategies, which are taking hold across the public and private sectors, are complementary to zero trust and serve a similar purpose. CSMA engages a distributed ecosystem of tools and functions to create a scalable strategy that can be deployed across complex and sprawling IT environments. Cyber fusion, meanwhile, involves a holistic unification of solutions and systems to break down siloes and establish an integrated ecosystem.

Where teams go from here

Zero trust is not just a security buzzword; it is a crucial approach for agencies and organizations across both the public and private sectors in the face of evolving cyber threats. By embracing zero trust today, agencies can enhance their cybersecurity posture, protect sensitive data, and be prepared for future mandates and cyberattacks.

Randy Johnson is Managing Partner of Raytheon Technologies at Kyndryl Federal.

¹ US government hit in global cyberattack, CNN, June 2023
² Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, The White House, January 2022
³ Information Technology: Agencies Need to Continue Addressing Critical Legacy Systems, Goa, May 2023
⁴ Harold Martin, Ex-NSA Contractor, Sentenced to 9 Years For Stolen Documents, NPR, July 2019