With so many government employees working from home, and no indication that this will end anytime soon, the federal government needs to upgrade the way it handles networking to tighten security for this new environment. Most experts agree that the best path forward would be zero-trust networking, although the concept is defined differently depending on who you happen to ask. Entire books could be written about the intricacies of zero trust, but by way of an explainer here, I will attempt to clearly define it for anyone considering upgrading security for their agency.
The federal government was already taking steps towards zero-trust networking late last year in an effort to improve overall security. The NIST National Cybersecurity Center of Excellence (NCCoE) and the Federal CIO Council hosted a two-day Technical Exchange Meeting on defining zero-trust architectures last November. And then in February, NIST updated its Special Publication 800-207, which helps to make the case for zero trust in government. So the government was already thinking about zero trust. It’s just much more necessary now with the pandemic forcing so many people to work from home.
The special publication gives a nice overview description on zero trust. “Zero trust is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets and resources,” it says. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).”
The document brings up a good point that under current networking policies, users coming in from a trusted network such as another government agency, or from a location where they have already verified their credentials, are normally given full access to data and agency resources without further review. But zero trust instead considers the fact that because everything is connected, that it’s possible that a so-called valid user might actually be an attacker. At the very least, every user is monitored based on their activity.
Read more at: Nextgov