A guide to zero trust implementation: 5 steps to get your agency moving to better cybersecurity
Author: Rose de Fremery
Date published: April 1, 2024
Zero trust is a framework for cybersecurity that seeks to verify trust at every point of entry and every digital interaction for data and workloads traveling in a network.
For federal, state and local government agencies, the end to implicit trust of everything that is connected to a network should better enable the advancement of digital transformation efforts through stronger authentication and visibility from the edge to the cloud. Below is a guide to a zero trust implementation that government agencies can use to understand how to implement zero trust.
In response to the growing threats (See Verizon’s 2023 Data Breach Investigations Report for the Public Sector and 2023 Mobile Security Index for the latest insights) and a September 30, 2024 deadline for zero trust objectives, the federal government is rapidly moving to a zero trust cybersecurity model and state governments are evaluating federal policies to craft their own strategies.
When implemented, a comprehensive zero trust strategy will enable government agencies to more rapidly detect, isolate and respond to today's complex cyber threats. However, implementation of zero trust still draws questions from technology leaders dependent on legacy systems about the best ways to get started.
Here are some practical steps federal and state agencies can take to simplify their transition to a zero trust framework.
A guide to a zero trust implementation
1. Assess coverage and identify gaps
First, take a look at your agency's current mode of operation (CMO) and begin mapping how your agency meets the capabilities using a Zero Trust (ZT) capability model. For example, Verizon has developed a Zero Trust Capability Model that groups forty-eight (48) core capabilities into eight (8) pillars: User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, and Orchestration and Automation. This ZT capability model was created using industry feedback and reference architectures that were published by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense (DOD), and the National Institute of Standards and Technology (NIST).
2. Inventory your existing zero trust capabilities
Many organizations are already in the middle of transitioning to a zero trust model. Your agency may have already purchased certain technologies or adopted specific processes related to zero trust, so take an inventory of what you have. Then, highlight where these technologies or processes are in the implementation process—not implemented at all, partially implemented and fully implemented.
If you discover your agency has purchased solutions it has not yet fully implemented, then you can consider those solutions low-hanging fruit. Completing their implementation will help you make quick and substantial progress toward your zero trust implementation.
3. Understand the financial impact of displacing legacy technology
While agencies are modernizing their core infrastructure and transitioning to software-defined solutions like Secure Access Service Edge (SASE), it's not uncommon for legacy assets and other types of networking equipment to be displaced. With this in mind, it's wise to proactively assess the financial impact of this displacement before it occurs.
Partnering with the finance team will be essential where this is concerned. Upon identifying the legacy assets that will be displaced, the finance team can assess their value according to their depreciated value so far. This insight, along with information on the zero trust capabilities that the new solution(s) enable, will help present a clear business case to management for transitioning to a zero trust architecture.
4. Conduct an analysis of alternatives (AoA)
Government agencies may be tempted to purchase and implement a new technology right away, believing it is essential to do so in order to complete the transition to zero trust in a timely manner. That said, it will be more effective in the long run to first map out the agency's current zero trust capabilities, conduct an analysis of alternatives (AoA) involving three feasible solutions and then lay out a full business case before moving to the final steps of procurement and implementation.
For example, if an agency is considering adopting a SASE solution, it should first map its current capabilities to a zero trust capability model such as the one mentioned above. Then, share that mapping information with three solution partners. The purpose will be to get their assistance in determining whether their solution can meet the agency's remaining zero trust requirements and, in doing so, fill the gaps in coverage that were identified in Step 1 above.
5. Create a proof of concept
This last step in the guide to zero trust can be carried out at the same time as Step 4, and it also involves partnering with SASE solution providers. In this step, the agency will create a proof of concept (POC) that addresses its top use cases. It is often possible to complete these proofs of concept directly in a special POC environment within the cloud solutions that the agency is considering. Assuming the POC is successful, it can then be easily transitioned from the POC environment to a production environment. This approach eases the process of zero trust implementation.
Solutions that enable zero trust for government
Since zero trust is a framework for cybersecurity rather than a specific product or service, there is no single solution that can fully enable zero trust at a government organization. However, there are certain solutions that can support a zero trust approach to cybersecurity and streamline the path toward a zero trust implementation.
Zero Trust Dynamic Access (ZTDA)
For example, Verizon's Zero Trust Dynamic Access (ZTDA) delivers a zero trust cloud security solution for agencies and their employees. It enables secure access to the open internet, cloud applications, on-premise applications, and cloud services. Acting as both a first and last line of defense, ZTDA helps protect users, applications, and data on any device, while maintaining a high standard of performance and eliminating the need to backhaul traffic or use virtual private networks (VPNs) to keep connections secure.
Secure private cloud
Verizon Secure Cloud Fabric is an innovative solution designed to provide customers with a reliable and flexible private cloud infrastructure that can evolve as their consumption needs change and as data usage policies evolve. The secure cloud fabric is integrated with the network to provide a structured network fabric between the customer and cloud service providers, as well as the ability to privately connect to other agencies' environments, including data lakes. It provides a secure and structured network environment that helps meet today’s network requirements while also helping to ensure that the future needs of each agency’s network are supported.
Accelerate your zero trust implementation
Implementing a zero trust cybersecurity strategy can be a complex endeavor, but the five steps in this guide to zero trust can simplify the process. Although zero trust implementation is an ongoing effort and can never be considered truly finished, having a guide to a zero trust implementation and making meaningful strides now will greatly benefit agencies, their employees and the constituents they serve.
Learn how Verizon's security solutions for government agencies create the network agility public sector organizations rely on.
The author of this content is a paid contributor for Verizon.