Implementing Zero Trust in Federal Agencies

June 14, 2022

Kevin Hansen
Public Sector CTO, CyberRes

Zero Trust in the Federal Government

Zero Trust is the leading cybersecurity strategy as federal mandates increasingly align with industry standards. Rather than granting access solely based on a credential, a zero trust strategy ensures each access request is required to pass multiple security barriers before gaining access to organizational resources. Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust architecture consists of five pillars: identity, device, network, application workload and data. Government agencies must ensure each pillar is interconnected and each interconnection is addressed in their planning toward zero trust architecture. CyberRes, a division of Micro Focus, delivers this interoperability through an extensive access security framework that accelerates an agency’s zero trust maturity.

Zero Trust: An Extensive Framework

Many federal agencies realize they need assistance in implementing zero trust, as there is no specific blueprint for its implementation. Luckily, the CyberRes portfolio is well-positioned with multiple zero trust frameworks to embolden and strengthen agency defenses. With a variety of access security capabilities, such as a multi-factor authentication (MFA) framework with continuous risk-based authentication, in-use data protection and a unified access control framework, CyberRes can help organizations achieve desired zero trust outcomes.

For starters, agencies can take several preliminary steps. CyberRes has created a portfolio office that will help synchronize zero trust initiatives into a single cohesive strategy to assist with maturity planning. Leveraging the CyberRes portfolio will help agencies more quickly achieve the desired zero trust effects, such as a real-time user inventory of who and what devices, including mobile phones, can access the network and the associated risk or restricting access to only those who have both the need and the right to see sensitive data. Given these effects, anything else is extraneous access and represents unnecessary risk to your organization.

Rigorous implementation of zero trust as a cybersecurity strategy and framework is vital to federal safety. Typically, agencies will need to expend additional effort to include zero trust in their existing systems. Government agencies must move beyond prescriptive risk policies and become outcome focused as they advance towards zero trust maturity. CyberRes provides agencies with a framework, as there is not one technology solution that can achieve zero trust, rather a comprehensive cyber security strategy assisted by flexible and interoperable technologies. This approach will improve all zero trust related security, including dramatic improvements to multi-factor authentication (MFA), Identity, Credential and Access Management (ICAM), as well as device, application and data protections. It will also give agencies the visibility, automation, and interoperability they need to achieve high-level maturity and outcomes.

Security modernization is another continuous process that CyberRes aids in. As technology grows and expands, security standards must constantly be revised and updated. As a result, CyberRes helps organizations find the most direct ways to implement zero trust capabilities and to build on those strategies for the future. This way, agencies can stay up to date with security as the environment adapts and expands.

Building Interoperability to Achieve Maturity

CyberRes delivers interoperability that accelerates the maturity of an agency’s zero trust architecture by offering services that leverage multifactor authentication, unified access control and data protection frameworks. Because new authentication purchases typically originate within a program they are often solved from a specific tactical perspective. Government agencies often end up with multiple authentication silos rather than a consistent authentication framework which results in higher administrative overhead, inefficient processes and increased vulnerabilities. With continuous authentication and authorization beyond the perimeter is where the advancement in zero trust multi-factor authentication maturity occurs.

The best way to identify and protect against malicious insider attacks is to learn the unique normal behavior of every identity in the environment. NetIQ Access Manager allows agencies to keep authentication and authorization within a single control plane with a unified set of access control policies and processes. This enables faster identification of potential threats and applies risk-based policies to mitigate increases in risk, which is essential in modern adaptive access control systems.

Traditional data security controls in the existing IT infrastructure prove ineffective as data becomes more pervasive, mobile and cross-functional. The increasing reliance on SaaS applications and migration to hybrid IT has limited the development resources for API-level integration in government environments. With Voltage SecureData Sentry deployed on premises, in the cloud or in big data analytic platforms, organizations can protect their sensitive data and maintain control over their infrastructure, without sharing encryption keys or token vaults.

Zero Trust: The Future Cyber Security Framework

Every future cybersecurity effort should build on the zero trust strategy. With the help of CyberRes, federal agencies can create a specific and measurable strategy for ensuring that zero trust is addressed in every aspect of their hybrid IT environment. They can refine and impose risk-based, dynamic security policies to further enforce additional safety, matching the level of protection their specific mission requires. If departments and agencies prioritize interoperability across the entire zero trust spectrum, the federal government can look towards a more prosperous and safe future.

Download CyberRes' Application Security Framework for Zero Trust Whitepaper and learn more about zero trust principles and CyberRes' integrated set of cybersecurity product offerings.