The push isn’t just coming from within. A 2021 White House executive order put zero trust front and center for federal agencies, and many states have followed suit. Now Rhode Island is building a Zero Trust Center of Excellence (CoE) to turn strategy into action. But for Nathan Loura, the state’s chief information security officer, this center isn’t just about technology — it’s about aligning people, processes and purpose.
He’s built a zero-trust coalition of sorts that operates within the state’s broader “community of practice” model, which includes business leaders, agency technologists and strategic partners — not just IT professionals. These groups collaborate through multiple centers of excellence across key areas such as AI, cloud and low-code/no-code development. Zero trust is the latest pillar in that architecture.
For Loura, launching a Zero Trust Center of Excellence was a necessary response to the rapid digital acceleration state agencies experienced in the wake of the pandemic.
“Post-COVID era, most public sectors just kind of shot into the future with the services they provided, and Rhode Island is trying to kind of lead the way throughout,” he said.
With the explosion of digital services, the state was managing decentralized platforms, cloud-native tools and expanded online access for residents. That digital evolution was a double-edged sword — great for innovation but risky from a cybersecurity perspective. Rhode Island needed a framework that could handle obscure boundaries and evolving threats.
“Having inherent trust is no longer the right risk decision,” Loura explained. “The way that cloud operates, and the boundaries are blurred nowadays, we had to focus on making sure that we’re not trusting the wrong technologies or trusting the wrong boundaries.”
And while the name might conjure images of sleek control rooms or high-security data bunkers, Rhode Island’s Zero Trust CoE is more conceptual than physical.
“It’s a hybrid of things,” Loura described. “We won’t have a specific Center of Excellence office or building. What we established was a team.”
Cross-agency collaboration has helped shape the CoE’s overall goals, and rather than setting a fixed launch timeline, the initiative is already underway, designed to adapt and grow alongside the state’s evolving needs.
As Loura put it, the long-term vision is to reach a point where “zero trust is just how we operate.”
For now, the CoE is focused on foundational work: defining identity standards, rationalizing security groups and building consistent naming conventions. The team is working toward implementing role-based access controls and single sign-on (SSO) across Rhode Island’s thousands of applications.
“Ultimate goal in a couple of years is when we have an application, you’re single signing on if you’re a state entity,” Loura said.
The team’s first key performance metric is achieving SSO for at least 80 percent of state-managed applications. That target includes both compatible and legacy apps. Longer term, the state aims to centralize identity management through an identity provider and automate related tasks to eliminate manual overhead.
“If we don’t get the core practices right, the core culture right, the way we manage identities, when we start to light up or invest in these technologies, all we’ve done is accelerate our problems,” Loura said. “If we do this right, in five years, we’re not worried about zero trust because zero trust will just be how we operate.”
His long-view mindset is helping shape the center’s approach to progress, balancing urgency with realism. One of the biggest early lessons from the zero-trust program is letting go of the expectation that everything will go exactly right from the start. The best approach is to “start small,” he said.
For example, when tasked with rationalizing thousands of security groups and users, Loura’s team began by focusing on a manageable subset. By establishing clear policies and standards, they could identify which groups met the criteria and then work through the rest together.
“There’s going to be a lot of reasons why we can’t do this,” Loura said. “And you hear those individuals out because there’s always some source of truth in those. But at the end of the day, just try to understand what the closest to perfection is, and realize you’re going for good and great, not perfect.”
Rhode Island is now tackling “small, impactful wins,” like security group rationalization and email naming standards. Loura emphasized the importance of clear, common language — especially when discussing risk with business stakeholders who may not speak cybersecurity fluently. One of his key takeaways is that culture beats tooling.
“If you bring in an automation tool and you have some problems in your practices and your foundational ways of operating on identity, you’re just going to automate bigger problems,” he said. “Get that stuff right, and when you bring in that automated tool, you’ve now automated success.”
The CISO believes that building a strong foundation now is so critical because it allows Rhode Island’s CoE to not only scale zero trust securely but also remain agile for whatever comes next.
“I think this CoE will evolve into the next evolution of what security’s focus is,” Loura explained. “Right now it’s zero trust. Once we have that zero trust, it will probably be the data plane layer or maybe even move into more secure data governance.”
In the meantime, he remains energized by the support he’s received — from his governor to agency directors and his boss Chief Digital Officer and CIO Brian Tardiff, a former CISO himself. Backed by that level of support,
Rhode Island’s Zero Trust Center of Excellence is taking shape — not as a physical space, but as a shift in mindset that guides the state’s approach to cybersecurity, from policy to infrastructure.
This story originally appeared in the Summer 2025 issue of Government Technology. Click here to view the full digital edition online.
