Federal technology leaders, former government officials, podcasts and industry insiders provide important insights into a landscape that has been turned upside down.
Evan Doty is Senior Field Solution Architect at CDW with a focus on Hybrid Cloud and Microsoft Azure. His areas of expertise include the design and implementation of LAN and WAN networks, Windows system administration, project management, call center management and deployment, and IT provider management.
Federal agencies under President Joe Biden’s May 12th Regulations have the Mandate to move to Zero Trust for cybersecurity. But many IT executives may still be figuring out what exactly that means for their business.
The White House is helping authorities do this, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently launched a zero Trust maturity model designed to help government agencies determine their progress based on five pillars: Identity, Device, Network, Application Workload, and Data.
That first pillar, Identity, is essential. In a zero trust world, even though an agency has issued a device to a user, that device and user will not be trusted until they are authenticated through multi-factor authentication (MFA) such as Common Access Card and PIN, or through Microsoft 365 MFA. The key is that every time something requires access to something else, that thing – a person, device, or application – must validly identify itself.
For zero trust security to work, IT must Government executives are refining their identity and access management (IAM) tools to become more granular and role-based. And they need to implement just-in-time escalation protocols so that trusted users can only access the data they need for a limited amount of time, when they want to.
An important consideration IT leaders consider when transitioning to Zero Trust need to understand is that it’s not a technology that you can buy and put in a box. It’s more of a philosophy and requires rethinking the deployment of existing technologies like IAM tools.
For example, when an application tries to access data in a database, that app needs to be verified using certificates and a public key infrastructure to determine that it is an approved app accessing an approved database. Agencies need to create systems to verify this identity so that verification can occur at every step of the process. Once it is determined that the system knows who or what is seeking access, it can move on to the next step. If this check cannot be carried out, the process is stopped and a validation is requested.
This requires three steps. First, government agencies need to be able to verify the identity of a user, device, or application with strong verification. Anything touching the network or infrastructure falls into this category.
The second step is to ensure that the access is compliant and typical of that identity. That means determining if users are trying to access tools and data that they normally have access to. For example, if someone who is normally not involved in the organization’s finances tries to access financial information, it would be a red flag and require further verification.
The third step involves following least privileged access principles. In essence, this means determining the minimum level of access a user will need to do their work. Agencies need to establish a business policy that follows this principle, and then they can embark on the zero-trust path.
This starts with the assumption that users do not need to access anything. They are then given access to certain tools and applications depending on their role. Agencies should create defined roles and the associated permissions and access levels. If someone is given a role and certain permissions, a certification and attestation process must definitely be applied.
For example, a user could be granted access to certain applications and databases based on a project he or she is working on . However, once or twice a year, authorities should determine if that user still needs access to these apps and data.
Agencies can also provide behavioral anomaly monitoring tools to aid in these efforts, and some certifications and attestations can be automated including removing access when users don’t need it.
A related concept is known as just-in-time access, which is more about the privilege users need to do their jobs and more about when they request elevated privileges.
In the past, someone who became an IT administrator for an agency was continuously given a higher level of access. This is no longer the case with Zero Trust. With just-in-time access, administrators do not have permanent and unrestricted access to extended or elevated permissions, apps or databases.
Instead, the user would request access and, after checking, this access for a specified period of time, possibly only a few hours. received so that a certain task can be carried out.
This concept applies not only to IT administrators, but to everyone who is looking for a higher level of authorization. For example, a manager only has access to personnel files when he conducts internal employee appraisals. If this manager is compromised by a malicious actor, the access granted to him will only last for a short time.
Agencies can also set up conditional access and role-based access policies. For example, users might only be able to view a file if they are physically in the office or if they are connected to a VPN after completing a multi-step authentication process. Or users could be blocked when trying to log in from a certain location.
Various providers offer just-in-time access tools as part of privileged identity management, including Quest One Identity, the tools for the privileged Access management from Thycotic and Microsoft Identity Manager.
Bringing all of this together is a team effort. A CISO needs the guidelines, and a CIO needs to set up the infrastructure to support the guidelines and train end users. IT directors should also involve the business and program offices.
It will likely take time to train users on this new architecture. But by introducing technical guidelines, IT executives can reduce some of these friction forces. The systems in the backend will grant and revoke permissions, and users can only go so far without verifying themselves. With the right automation tools, role-based access management can become a seamless part of an agency’s day-to-day operations.
Zero Trust is now the goal for agencies. You can get there faster by updating your identity and access management systems.
This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter using the hashtag #FedIT.
Technology inclusiveness and maintaining culture will shape the Fed’s transition to hybrid work
The Future of Data Encryption: What You Need To Know Now
Keywords:
