He told Government Technology that zero trust allows the courts to safeguard remote and hybrid operations and limits the damage a malicious actor could wreak, should they break through New Jersey Judiciary’s (NJJ) various layers of cyber defense.
“[Zero trust has an] ability to kind of limit things jumping laterally — if one device got hit, it doesn’t mean everything should get hit,” McCarthy said.
Defending Remote and Hybrid Work
The pandemic’s onset forced NJJ to send its 10,000 workers home, but it didn’t have portable devices available to support more than a fifth of them. It needed to ensure trials and other judiciary business could continue safely, even against new risks like staff conducting business on personal devices shared with other family members or state desktops being moved off-site, into employees’ homes.
In the ensuing years, staff have shifted back and forth between on- and off-site work, as COVID-19 risks ebb and resurge. McCarthy said courts have also switched to remote options during weather events like snowstorms and flooding. Currently, some jury trials are in person while some other hearings are still remote, per the New Jersey Courts website.
Such demand for both on-premise and remote operations emphasized that NJJ needs a security approach that could be applied consistently, regardless of where staff is at any particular point in time.
“Our understanding that it was going to be an unpredictable environment to us [led us to say,] ‘Let’s not look at what we’re doing remote or on-prem, let’s just do everything in the same building, in the same manner, in the same way we were doing it,’” McCarthy said.
From Candy to Spiderwebs
The court system began transitioning to zero trust even before the pandemic. NJJ read a warning in the cyber attacks that impacted courts in Texas; Atlanta, Ga.; and Philadelphia, Pa., McCarthy said, and sought to deepen its security.
The transition required learning new technology — and a whole new way of thinking.
Traditionally, NJJ had focused on creating a tough-to-crack perimeter defense around its operations — but anyone who did manage to slip through would face little resistance getting to vulnerable systems. McCarthy compared the setup to a piece of candy with a soft center, exposed to anyone who breached the hard outer shell.
A zero-trust approach, in contrast, meant viewing the enterprise as a “spiderweb” connecting all the organization’s different devices and systems, and then monitoring and limiting activity along each of those connections.
Zero trust is intended to limit the potential damage that could happen if NJJ’s other cyber defenses fail. By scrutinizing and defending the connections between parts of the system, zero trust aims to ensure that a hacker who manages to compromise a machine cannot then move through connections to other parts of the network and shut down sensitive areas like the data center, McCarthy said.
Controlling Access
Taking a zero-trust approach means assuming attackers could be in the system already or even masquerading as staff members. Accounts and devices requesting access to systems and data must be verified every time, no matter who they belong to.
“You always assume that your administrators are your trusted core of individuals who would never do anything bad — but it’s not them, it’s their credentials doing the bad stuff,” McCarthy said.
Now, whenever someone attempts to access a system, IT confirms that doing so genuinely is relevant to the user’s current tasks.
Before granting access, the security setup also checks that the requests meet other parameters. For example, privileged access management (PAM) tools might be used to permit certain activities only with certain approvals or during normal business hours.
“The zero-trust idea says, we’re not going to give them access to anything unless we specifically want them to have access to it right now,” McCarthy said.
He said artificial intelligence (AI) tools will likely become important to managing all these privilege considerations. AI might be set to send alerts about suspicious access requests, too — such as an employee who normally clocks out at 4 p.m. suddenly trying to use a system in the middle of the night.
To get a high-level view of potential threats, NJJ’s IT team logs whenever access is granted and monitors the activity users undertake on the systems. Later, the team uses AI tools to pour over all this data for any indicators of malicious activities.
Account Management, Device Security
Clamping down on access has also required IT to manually review all employee accounts to delete outdated ones and remove access privileges for employees who don’t need them. In some cases, users may have retained access to systems for years after leaving their roles, including after being promoted, moving to other divisions or leaving the agency entirely, McCarthy said.
Security measures also need to look at devices, to prevent ones from joining the network if they would introduce risks to the rest of the organization. That work involves checking whether devices seeking to connect have their security up to snuff — such as the correct antivirus and the latest, patched versions of software. Devices failing these checks are denied access until IT can fix the issues.
McCarthy says NJJ looks to research firms like Gartner to learn about technology trends agencies should pay attention to within the next few years, then begins examining vendors as those timelines near. (In this case, NJJ chose a firm called Zscaler to support its zero-trust move).
Adopting any new technology can be complicated, but it simply takes time to learn the ins and outs, forge relationships and complete transitions, McCarthy said. For any agency considering this journey, McCarthy has one piece of advice: “just start.”
“Eventually you’ll figure it out,” he said.
