5 Things Government Agencies Need to Know About Zero Trust

Zero trust as a concept is simple to grasp. Implementing a zero trust architecture, on the other hand, is complex because it involves addressing a unique mix of process, procedure, technology and user education. Here are some considerations to keep in mind as you begin your journey.

Draft guidance on implementing a zero trust architecture, released by the National Institute of Standards and Technology (NIST) on Dec. 4, 2024, gives government agencies and private sector organizations a solid blueprint to follow. There are a number of additional considerations to keep in mind as you begin your journey.

First and foremost, zero trust is an alternative way of thinking about information security that treats trust as a vulnerability. It removes trust entirely from digital systems and is built upon the idea that security must become ubiquitous throughout the infrastructure. The concepts of zero trust are simple:

• All resources are accessed in a secure manner, regardless of location.
• Access control is on a "need-to-know" basis and is strictly enforced.
• All traffic is inspected and logged.
• The network is designed from the inside out.
• The network is designed to verify everything and trust nothing.

A zero trust architecture can be implemented using commercial off-the-shelf technology. It's built upon current cybersecurity best practices and dovetails with a robust exposure management program. In fact, exposure management and zero trust go hand-in-hand.

5 things to keep in mind about zero trust

Here are five considerations as you begin your zero trust journey:

1. Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.
2. Zero trust requires a foundation of strong exposure management. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can't build a zero trust strategy without first having accurate visibility into all of the organization's assets — including IT, cloud, operational technology (OT) and internet of things (IoT). An exposure management program can provide you with that level of visibility as well as the ability to act on findings in real time.
3. User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Identity and access management capabilities such as Entra ID and Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date.
4. No one is trusted — no exceptions. This may not please senior leaders, who can sometimes behave as if the rules don't apply to them. Brushing up on your diplomatic skills is advised. Ultimately, though, a zero trust architecture can be implemented without creating significant friction for end users.
5. Zero trust requires thoughtful communication. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren't engaged in the zero trust buildout from day one.

Zero trust as a concept is simple to grasp. What makes zero trust complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of processes, procedures and technology found in your IT infrastructure, as well as the need for significant user education. It's best to start small and roll out from there, rather than trying to boil the ocean.

For cybersecurity leaders in government agencies, preparing for a zero trust architecture is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

• What is your agency’s core mission or value proposition?
• What are the workflows required to fulfill that mission?
• Who owns those workflows?
• How does data flow in the organization?
• Which are your high-value assets, the so-called "keys to the kingdom"?
• How does the organization determine who is granted access to these high-value assets?
• How often does the organization audit user permissions once they are set?
• What building blocks do you already have in place to support a zero trust strategy?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things (IoT) and operational technology (OT) assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of exposure management.

How zero trust and exposure management go hand-in-hand

Exposure management transcends the limitations of siloed security programs. Built on the foundations of risk-based vulnerability management, exposure management takes a broader view across your modern attack surface, applying both technical and business context to more precisely identify and more accurately communicate cyber risk, enabling better business outcomes.

An exposure management program combines technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and patch management to help an organization understand the full breadth and depth of its exposures and take the actions needed to reduce them through remediation and incident response workflows. Exposure management gives security teams a full, dynamic and accurate picture of the attack surface at any point in time, aiding in the implementation of zero trust policies and architecture.

Learn more

• Download the Gartner report How to Grow Vulnerability Management into Exposure Management
• Read the blogs Tenable and the Path to Zero Trust and Making Zero Trust Architecture Achievable
• View the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4, 2024