How government agencies can build Zero Trust security models

It’s been over a year since President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. While federal and civilian agencies have made strides to adopt security best practices and advance toward Zero Trust Architecture (ZTA), questions still remain regarding how to best meet these modernization goals.

Tony Holmes, Practice Lead for Public Sector Solutions Architects at Pluralsight, recently sat down with Senior Security Author, Brandon DeVault, for our webinar, Demystifying Zero Trust for government agencies. Brandon’s unique experience as a member of the Florida Air National Guard and a threat hunter on a mission defense team (MDT) gives him deep insight into what Zero Trust looks like in the government sphere. We break down some of Brandon’s top tips below. Check out the full webinar for all his recommendations.

Zero Trust isn’t as much a checklist as it is a methodology. “It’s really just good security things that maybe we already should have been doing,” Brandon shares. Authentication is one such example he pointed out during the webinar. In a traditional environment, you log in with your username and password, and you may have multi-factor authentication (MFA). With Zero Trust, the very first step would be MFA across the board.

“We’re continuously investigating users and their activity. We have a background authentication method that constantly makes sure it’s the legitimate user who's performing various activities from day to day.”

Ultimately, it all goes back to how networks have changed. Traditional networks have all your software and equipment behind a firewall on on-premises equipment. This setup made it easier to defend the boundaries. However, it also presents two challenges in today’s environment:

1. Once an attacker gets past the boundary, organizations tend to lose sight of things because they’re focused on the boundary itself.
2. Networks are becoming more and more complex. You're putting things in the cloud. You’re virtualizing things, placing things inside containers. They're very distributed, and there’s no longer one central boundary you can defend. 

How does Zero Trust examine these issues? According to Brandon, “This approach says we're going to assume an attacker has gained access to the environment in some way. So, how do we prevent, in every instance, an attacker being able to access further systems and move laterally within that network?”

We’ve found in speaking with many of our partners in the Federal government that people are worried about timelines for implementing Zero Trust. Brandon emphasizes that the overall goal of Zero Trust is to have a better security posture. Instead of rushing to tick off boxes, he recommends a more methodical, thoughtful approach. Taking the time to set up a solid plan to meet Zero Trust will achieve greater results in the long run. 

Federal employees are also questioning whether they’ll need to purchase additional software to practice Zero Trust. It’s not uncommon to see content from vendors promising to solve every Zero Trust-related challenge. Brandon explains that the answer to this question comes down to what your network looks like, its complexity, and whether you have the necessary tools. 

Consider, for example, authentication. While the Department of Defense does an excellent job with multi-factor authentication, there are servers, virtualization systems, and disparate mission systems that don’t allow for it. 

Instead of trying to find a multi-factor approach to fit these systems, you might say, “Oh, it doesn’t qualify for multi-factor, so let’s just use a username and password.” The problem here is that the system can end up being compromised, and the attacker is able to pivot from there.

When it comes to Zero Trust, if you have a system that’s able to connect those authentication systems, or you have a hardware token for multi-factor on another system, you won’t need anything new. Instead, you’re enabling the configurations to make that happen. The other option is to identify areas where you may need a vendor’s support. The benefit? You can come to potential vendors with your requirements on the front end.

Even if you’ve read through the executive orders and OMB memorandums multiple times, you may still be wondering where to start. Brandon shared a few best practices every government agency can follow to improve its security posture going forward.

While the first step of the OMB memorandum states to identify a single point of contact for the Zero Trust implementation, Brandon cautions against resting the responsibility of implementation on one person. Instead, he says, “It’s going to have to be a team of people getting together in collaborative meetings to make sure everyone is on board.” The central point of contact can prioritize steps and foster communication across multiple teams, such as security, development, and DevOps. 

Collaboration also extends to other organizations—it’s important to connect with other agencies to find solutions to similar problems. Brandon has seen a key difference between teams that work in silos and teams that collaborate with others to share ideas and information. He also recommends reaching out to commercial resources to see what solutions they’re using. “I guarantee that there are going to be people in the commercial space who are encountering similar problems and trying to implement solutions in creative ways that might help you,” shares Brandon.

Zero Trust doesn’t mean locking users out of platforms and environments they need to do their jobs (and do them well). Brandon notes that access to systems from the cloud is critical where appropriate. “We need a way to stay effective, and if that means having people log in from home to accomplish the mission, then that needs to be part of our decision,” he explains. “As we expose more of those applications and more of that access, we make sure we're doing it in a secure way.”

You should be able to identify all your users. With one centralized system for logins, you can authenticate them across the network for individual applications in the appropriate files and systems. Next, make sure you can identify all devices that exist on your network so you can pinpoint any rogue ones. Finally, you should know all major software components that exist inside your environment and their dependencies. There are some automation tools that can help you do so.

The bottom line: You need to know what software exists, its dependencies, and related metadata so you can respond quickly when an attacker attempts entry or some other vulnerability hits your systems.

Speaker bios

Brandon DeVault is a Sr. Security Author focusing on general blue team operations, incident response, and threat hunting at Pluralsight. He is also a member of the Florida Air National Guard and works as a threat hunter on a mission defense team (MDT) defending North America’s air tracks. 

Tony Holmes is the Practice Lead for Public Sector Solutions Architects at Pluralsight and partners with government agencies to ensure their cybersecurity workforce has the skills they need to ensure mission success.