Survey Reveals 5 Insights for Implementing Zero Trust

The concept of Zero Trust is not new, but it is gaining traction as data security becomes more scrutinized. Also referred to as “perimeter-less security,” Zero Trust has traditionally focused on employing network-centric tools that enable automated access controls, network microsegmentation, and continuous monitoring of connected devices. Following a 2021 Zero Trust executive order, government agencies and contractors are mandated to incorporate the framework into their data security strategies.

Recently, FedScoop published the results of a survey of 191 government leaders assessing their journey to Zero Trust. In this blog, we’ll highlight our top five takeaways and how you can leverage them to simplify your own journey.

1. User Identity and Network Upgrades are Essential

“When it comes to investment priorities, user identity and upgrades to network environments are getting the greatest attention.”

Regardless of which layer you need to address (Network, Application, Data etc.), identity management is necessary to holistically and confidently apply the right controls.

Identity and access control management are major challenges for all public sector segments, including the DoD/IC, Fed/Civ, Health, and SLED. Those focused on Zero Trust should be looking at best-of-breed segment leaders like Okta to simplify identity management for their organizations. Whatever you choose for identity management, it should be a tool set that leverages common standards to ensure interoperability and extensibility.

2. There is a Disconnect Between Leaders and Practitioners

“There is a probable disconnect between what senior executives believe to be true and what the ‘boots on the ground’ are saying is true.”

This has been a common challenge for technology programs across the sector for as long as IT departments have supported government agencies. Part of this is cultural; in segments like the DoD, there seems to be a more pervasive disconnect due to organizational hierarchies.

Ultimately, today’s best technology leaders want real visibility into challenges to help solve them and drive better outcomes. The Zero Trust Leadership Steering Group established in the executive order should help accomplish this, and some agencies like CIS have set up Zero Trust Working Groups to foster collaboration and visibility into challenges and needs across program teams. This is a best practice that all Federal agencies should leverage. Additionally, encouraging the “doers” to provide candid feedback and updates on projects to senior leadership so things can move faster and more effectively will contribute to a more empowered culture.

3. Leadership Teams Lack Visibility

“4 in 10 respondents at large agencies, 32% at small agencies and 20% at medium size agencies said their senior leaders do not have visibility into the gaps that must be closed to achieve zero-trust objectives.”

The stats say it all. This lack of visibility is exacerbated by competition across Systems Integrators competing for work funded by Zero Trust dollars. These projects are complex, with many layers and emerging technologies that must be integrated across evolving architectures and different operational needs that need to be addressed.

Agencies should hold status meetings for senior leaders and stakeholders on a regular (at least quarterly) basis to ensure visibility for the entire agency. Simultaneously, they should engage and inform programs, personnel, and partners that are not directly involved in the core Zero Trust project.

4. Agencies' Challenges Vary by Size

“Respondents’ confidence in their agency’s in-house skills to assess the security needs for each pillar of zero-trust varied by pillar and by agency size. Respondents at small agencies said they were highly confident in their ‘data”’skills and least confident in managing ‘users.’ In contrast, respondents at medium and large agencies said they were highly confident in their skills to manage ‘devices’ and least confident with ‘automation orchestration.’

In-house skills for high-end IT functions are, and will remain, a challenge for the Federal Government for the foreseeable future. This is due to many factors, but is not unique to Zero Trust or any of the pillars or functional areas supporting it. Fortunately, there is a vast ecosystem of government systems integrators and product companies with the domain knowledge, experience, and technical resources to support Federal Agencies’ needs.

The smart approach for agencies is to look for industry partners that can put together cohesive plans that integrate architectural designs leveraging best-of-breed commercial products in a modular, open architecture that will allow for continual improvements over time. Acquisitions should look for integrators providing outcome-driven plans that enable continued evolution, while ensuring competition via multi-award vendor contracts that foster innovation.

Locking an agency into long-term, single-award agreements will stifle innovation and kill incentives for delivering outcomes. Agencies need to encourage competition while building architectures that will evolve with the technology landscape. This ensures innovation, while enabling our government to be “secure by design.”

5. Data Management is the Top Zero Trust Hurdle

“4 in 10 respondents said data management was the top staff/ skills shortage hindering their agency in implementing zero-trust, followed by those with security engineering skills (39%) and networking modernization skills (38%).”

Cloud data management is a complicated and evolving space across the government and systems integrator community. Most agencies have programs focused on advanced analytics and the Data Act has driven data management modernization holistically across the Federal Government. However, the reality is that there will always be a skill shortage in the government due to market competition for resources with experience with these emerging technologies.

Innovative data leaders have realized that there are multiple architectural layers that need to be addressed from a security perspective to ensure Zero Trust is employed properly. One challenge that needs to be addressed, yet is not always considered by CISOs and data security leaders, is building secure next-generation analytics platforms like cloud data warehouses, lakehouses, and data clouds. To achieve Zero Trust, you need to specifically look at automating data access, governance, and privacy policy enforcement to ensure a balance between data security and the utility needed by consumers to operationalize analytics.

One way to help close the skills gap is to acquire commercial, best-of-breed products that can automate different functional and operational components, and integrate them into open, API-first based architectures that can be managed by government and contract staff. Product companies like Immuta build capabilities that address operational IT challenges innovatively.

The best SI’s out there have embraced partnerships with leading COTS product companies and scout technologies that can augment their ability to deliver these projects. This allows you to get the best and latest technology, while avoiding vendor lock-in.

Recommendations for Implementing Zero Trust

If you look at the purpose of Zero Trust, it’s all about protecting data. Couple this with the push for agencies to operationalize advanced analytics (AI / ML), and getting data management right is a critical concern for agency leaders thinking about how to succeed with Zero Trust.

At any agency, the Zero Trust project objectives should not be to “meet minimum requirements,” as called out in the executive order. Ultimately, the intent of the executive order is to holistically improve the cybersecurity posture of government agencies. It’s not for the agency to “check some boxes” on an evaluation to show that they followed the order. Cybersecurity is challenging and continuously growing more complicated.

The five pillars of the Zero Trust Strategy outline “complementary areas of effort” that need to be addressed to ensure a holistic security approach. However, the crown jewels of any agency are its data. Protecting the data is at the core of the strategy.

Depending on factors like the mission of the program or agency, as well as how far along different IT modalities are on the modernization journey and whether agile development frameworks have been rolled out across projects, there will be different gaps and priorities that need to be addressed.

The Zero Trust journey will be unique for each organization. Therefore, agencies should embrace a culture of continuous change, project accountability, and cross-agency collaboration to ensure successful alignment from the project teams to agency executives. Doing so will eliminate bureaucracy and expedite removal of bottlenecks.