Government bodies are also subject to various IT compliance requirements such as PCI-DSS, HIPAA and CJIS that safeguard personal information. Further, many states are passing their own GDPR-style laws such as California Consumer Privacy Act (CCPA) to hold the entity storing consumer data accountable for safeguarding it.
The traditional approach to IT security has failed to stop modern threats. And regulations are calling for stronger data security and access controls. So, what should governments do? A trust-based security model offers a fresh take on IT security and addresses the use cases of hybrid IT environments, proving zero-trust is more than just a buzzword.
Zero-trust is not one solution or a platform that one can simply buy and deploy. It is also not a rip-and-replace strategy where existing investments in security are sunk costs. It is a security framework that enables IT to gain visibility and control of their environment with trust-based policies before granting access to network, application or data.
The road to zero-trust security can start with your existing security solutions by aligning the policies to the principles of the framework. This helps IT understand the gaps that need to be filled by adding the required capabilities or solutions.
3 Steps to a Zero-Trust Security Model
Governments with hybrid IT environments should consider building the following three key security capabilities to achieve zero-trust:- Gain complete visibility: Knowing who is accessing your network, when and from where and with what device is key to mitigating security risks. The next step is to understand the security posture of these devices such as OS patch level, host firewall status, anti-virus status, encryption status, screen-lock status, biometric protection status, etc. This information will help build an inventory of your endpoint devices and allow administrators to monitor and act on risky devices such as jailbroken smartphones and outdated Windows 7 machines.
- Verify the access trust of every user and device: Gone are the days of trusting digital identities with just the password. Today implementing multi-factor authentication (MFA) is a required security control to stay in compliance with most IT security standards such as NIST, PCI-DSS and HIPAA. SMS passcodes are no longer recommended by NIST due to man-in-the-middle (MITM) attacks. A modern MFA solution uses the most trustworthy methods to assert identity online with out-of-band authentication (OOBA) such as a push notification on mobile device, universal two-factor (U2F) security keys and biometric authentication using WebAuthn.
Verifying device status at the time of authentication helps organizations stay compliant by ensuring only secure devices are granted access by assessing the trustworthiness of the device based on contextual information presented by the browser or the OS at the time of application login. - Enforce granular access controls: All the information provided by a solution is not useful unless it is actionable. Administrators should be able to use all the contextual information stated above to enforce role-based adaptive access policies using the zero-trust principle of least privilege. Admins should also have the flexibility and granularity to enforce policies at the application, user or group level.
Further, to reduce the attack surface for cybercriminals, administrators can implement policies to restrict access from certain geographies and anonymous networks such as Tor. Device-based access control ensures compliance with your IT security policy.
