The U.S. government's zero trust mandate is driving the public sector to adopt a new cybersecurity mindset of "trusting no one." To embrace this paradigm, government agencies must consider how to move away from perimeter-based security while bringing their cybersecurity posture up to industry standards. One aspect that's often overlooked in the shift to zero trust is that this paradigm is not simply about technology — it requires a cultural change as well.
The recently released Department of Defense Zero Trust Strategy is a good example of a holistic approach built around strategic goals, such as embracing a zero trust culture, achieving enterprise-level resilience for information systems, and accelerating zero trust technology adoption to stay ahead of the changing threat environment. Using the existing guidance from NIST and CISA, the DoD added an extra layer to zero trust implementation to help it meet, if not exceed, enterprise-level standards.
By achieving its zero trust adoption goals, the DoD expects outcomes such as its users' ability to access data securely from anywhere, a reduced attack surface, and improved cyber resilience. This framework will become the gold standard government wide, and perhaps even in the private sector.
As other agencies create their own framework for zero trust implementation, they should adapt the best practices established by the DoD to their own organization. While the DoD has more stringent cybersecurity requirements than most other government entities, its zero trust implementation approach — starting with cultural adoption — is the right step forward.
Cultural Change as the First Step to Zero Trust Adoption
The philosophy of zero trust has created a lot of buzz in recent years, even though the idea itself is not new. At its essence, zero trust is the concept of least privileged access — designing systems so only authorized users can access them, and only allowing those authorized users the minimum access required by their jobs. The label of zero trust, however, has created a new race in the marketplace, with various vendors joining the conversation about the best ways to achieve zero trust.
The problem is that vendors view zero trust through the lens of their own self-interest, portfolios, and capabilities, which means they will have diverging opinions and interpretations of the best approach to achieve zero trust. This has resulted in confusion for organizations as to which security controls they should deploy.
What's typically left out of these conversations is the role of the users. As the DoD strategy so aptly notes, a department cannot protect and secure its data through technology alone — "it requires a change in mindset and culture, from DoD leadership down to mission operators, spanning all users."
As with any new initiative, employee buy-in is instrumental for zero trust acceptance. You must first build user awareness and educate employees on the reasons behind zero trust adoption. A cybersecurity-minded culture means employees understand the zero trust mindset, commit themselves to embracing it, and are trained by their leaders to do so.
Approaching Zero Trust Pragmatically
Most organizations, public or private, have limited budget and resources for rolling out new cybersecurity programs and technologies. As much as having the maximum control layers across the entire organization sounds great in theory, in reality, that goal is not practical. So you have to make choices about where you should double down on your defenses.
One lesson that government agencies can learn from enterprises is to develop their cybersecurity strategy focused on risk. In the private sector, Proofpoint data shows that not all users and functions are targeted equally, and this also holds true in the public sector.
For instance, employees with certain job responsibilities are more valuable targets than others to the adversary. Where your most critical areas are — and consequently, the most targeted employees — depends on your specific mission, whether that's highly valuable research, critical infrastructure, or public health, as just a few examples.
Let's say your organization specializes in highly valuable research that interests an adversarial nation-state actor. The enemy is much more likely to attack your research department than other areas, which means research is the function where you would want to apply added controls.
You can also think about your cybersecurity defense as playing a football game. If the opposing team runs the ball up the middle of the field and you can't stop such a run, they will continue that tactic. To stop that form of attack, you have to understand what the opponent is doing to achieve its objectives, and then adjust your defenses to block the strike and thwart the attack.
The same strategy applies in cybersecurity. Understanding your threat landscape can help you prioritize your defenses, so you can maximize your defense layers in the areas of highest risk. Having this kind of roadmap allows you to start zero trust pragmatically while ensuring you are deploying controls where you need them most.
Innovation the Key to Cyber Resilience
Since the threat landscape is always evolving, maintaining a zero trust environment requires continuous innovation. As the DoD points out, "Implementing zero trust will be a continuous process in the face of evolving adversary threats and new technologies."
Threat actors are constantly looking for new weaknesses to exploit — and they follow the latest trends related to security measures. For example, now that multi-factor authentication is a standard practice, the adversary's tactics have evolved to steal tokens and bypass MFA.
To stay ahead, government agencies need to understand how the landscape is changing and continuously adapt to those changes. This requires updating not only their capabilities and architecture but also their user awareness and training.
Building a foundation for zero trust is an important step for public agencies. It's encouraging to see the DoD set the example for how to adapt to the new mindset by starting out with a strong security culture. People play a key role in protecting data and information systems. Making them an instrumental part of zero trust adoption is the best way to ensure successful adoption.
Ryan Witt is Public Sector Cybersecurity Leader at Proofpoint.