Federal zero trust strategy: are you ready?

Federal agencies deal with sensitive data and critical infrastructure while executing their public functions. They are naturally vulnerable to malicious attacks and data breaches. 

While strategic use of technology and cloud-based systems is important to delivering their mission, security monitoring is crucial. The federal zero-trust strategy calls for a holistic approach to protecting data and systems. Doing so helps mitigate safety concerns and service disruptions. 

Leaf through the blog post to learn about the federal zero trust strategy's crucial components and explore the steps you must take now.  

Federal zero trust strategy: an overview

The federal zero trust strategy offers an adaptive, safe architecture to prevent unauthorized access to critical systems and data. The core component of the zero trust strategy is that no stakeholder or system is trusted but carefully verified. 

The strategy also necessitates proactive and appropriate actions to verify each user and device and secure the data and public infrastructure. This means there should be a dynamic shift in how agencies deal with the security of data, systems, and infrastructure. 

The federal zero trust strategy recommends a continuous approach rather than the traditional approach of monitoring perimeters. 

Federal zero trust strategy: Key cybersecurity directives for agencies

1. Account verification and management: Federal agencies must promote enterprise-managed accounts after appropriate verification.
   
   
2. Device protection: Devices used by federal agencies must be monitored, and periodic security assessments must be undertaken to protect them.
   
   
3. Network security: The network traffic should be encrypted appropriately.
   
   
4. Application vulnerability testing: All applications connected to the agency's functioning must be tested internally and externally for security-related vulnerabilities.
   
   
5. Cloud data security: The agencies must have robust policies to automatically encrypt and protect data including those in the unstructured format, stored in the cloud.
   

How can you prepare your systems?

The action plan of the zero trust architecture calls for a holistic approach to protect on-premises and cloud systems. Here are some of the best practices you must adopt:

1. User identification

“The federal government intends to ensure that the infrastructure and information are being accessed by the right users with legitimate intent.” 

Identity collection 

The users must be verified to clearly define their identity and responsibilities. Doing so holds them accountable for their actions, and the agencies can gain comprehensive oversight of the system's users. For example, it's a crucial step for admins and users of public safety communication systems.

The federal zero-trust strategy requires the collection and maintenance of users' metadata. This helps agencies detect anomalies and impose custom access restrictions. 

Multi-factor authentication

The zero trust strategy calls agencies that use citizen communication and other tools, such as military chat solutions, to integrate multi-factor authentication for contractors, vendors, employees, and partners. This prevents unauthorized access.  

User authorization

Beyond user identification, the strategy also emphasizes authentication and access controls. Request for access to critical data must be validated. The strategy focuses on defining the roles and permissions and the appropriate level of access required. 

2. Device management

“Understanding the devices and systems is a key principle of the zero-trust strategy. For effective device management, it proposes inventory cataloging and endpoint detection and response (EDR). “

Inventory maintenance

The strategy proposes creating, cataloging, and maintaining a proper inventory of the devices used in an enterprise. It calls for participation in the Continuous Diagnostics and Mitigation (CDM) program to promote the dynamic discovery of devices and assets. 

Endpoint detection and response (EDR)

The federal zero trust strategy requires monitoring endpoint activities and collecting data and information about network connections, user activity, file changes, etc., to detect evasive threats. 

When threats are detected, the system should automatically isolate the endpoint and apply appropriate security patches. 

3. Networks: encryption and architecture

“The federal zero trust strategy calls for encrypting all DNS requests and HTTP traffic in the system.” 

It demands inspection, monitoring, and analysis of logged network traffic. The strategy also recommends that agencies not rely on static cryptography to encrypt traffic but use advanced, robust encryption protocols, such as TLS 1.3, that are specifically designed to handle bulk traffic. 

Even unencrypted network traffic should be analyzed using heuristics to ensure a trusted internet connection.

• When it comes to DNS, agencies must use encrypted DNS servers that are inspected and approved.  
• With HTTP, the agencies must use HTTPS for all traffic, which is the encrypted version of HTTP. 

4. Applications and workloads

“The zero-trust strategy calls for agencies to consider all applications as connected to the internet and perform rigorous testing and vulnerability assessment.” 

Security Assessment Reports

The agencies must operate dedicated security testing programs and create Security Assessment Reports (SARs). The reports must go beyond the information collected by automated tools and use specialized methods. 

Third-party collaboration

It also suggests that agencies partner with third-party firms that specialize in application security. This helps assess vulnerabilities and collects external perspectives that strengthen the security assessment process. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) have created procurement structures and vulnerability disclosure platforms to help agencies collaborate with security researchers. 

Internet-accessible applications

The zero-trust strategy emphasize that agencies maintain a comprehensive record of internet-accessible records so they can undertake appropriate security measures and assessments. 

5. Data security

“The federal zero trust strategy advocates for robust measures to identify, categorize, and protect agencies’ data. It calls for a comprehensive approach to data management.” 

Protecting unstructured data

While agencies using government chat and other citizen engagement platforms usually have policies to protect structured datasets, they must work out appropriate strategies to protect loosely packed, unstructured data floating around systems. 

Automating security monitoring

As cloud environments have become prominent, agencies must automate security monitoring with robust Security Orchestration, Automation, and Response (SOAR) systems. 

Encrypting data in the cloud

Agencies should record data and create logs with attempts made to access data. To achieve this, the zero-trust strategy recommends using appropriate key management tools. They can use tools provided by the cloud provider, deployed on-premises, or rely on external parties. 

A good idea is to use an air-gapped collaboration system for maximum security.