Agencies have been migrating to zero-trust principles since 2021. More than just meeting a mandate, the shift to zero trust makes sense for the way agencies are consuming IT. More and more, the applications agencies use for daily work are located in the cloud, not in an on-premise data center. This means that the traditional castle-and-moat approach to security, designed to keep the network closed to outside access, is not as effective or sustainable. Instead, the zero-trust framework, based on the principle of “never trust, always verify,” allows for the expansion of cloud use while ensuring high levels of security.
While this shift is widely accepted as the right move to meet both modern workflows and the threat landscape, it does not mean it has been easy. Zero trust is not a single technology, but a concept enabled by a host of solutions that span the entire IT stack. Key challenges to implementing zero trust include:
- Legacy Systems and Infrastructure – Government IT systems can be decades old, meaning they are not designed to work with zero-trust solutions. Retrofitting these systems can be complicated and costly, leaving agencies with the choice of replacing the legacy system or forgoing zero trust as it relates to functions tied to that system.
- Funding – With IT budgets planned years in advance, many agencies struggle to allocate funds to zero-trust initiatives. Without those funds, they can’t ensure they’ll have the tools and training needed to implement zero-trust principles.
- Visibility – A key part of zero trust is understanding what you have on your network in terms of tools and data. The sheer size and complexity of agency networks make this discovery aspect incredibly difficult. Inventorying technology licenses and standardizing data classification could take agencies years.
Because zero trust is a multi-layered approach to security, agencies can modernize their approach in phases to account for these challenges.
The most visible change related to zero trust may be in the area of identity and access management. Many agencies prioritized rolling out multi-factor authentication (MFA) and single sign-on (SSO) solutions to ensure that only authorized users can access sensitive systems — and that every access request is continually verified. Doing so helps meet a core tenet of zero trust that sets identity (not location) as the perimeter.
Beyond identity, agencies are implementing zero-trust principles within pockets of their organizations. Some have started with prioritizing modernization for high-value assets (HVAs) — things like sensitive citizen data and national security systems. Others have begun zero-trust implementations in small, lower-risk parts of the network to experiment with the impact to systems and users; these experiments will inform larger rollouts.
Finally, artificial intelligence (AI) is proving to be a key tool in automating the workflow required for zero trust. AI tools can help with the visibility and data standardization challenges, as well as support integration between the multiple tools needed to make zero trust work.
Nearly five years since the first executive order on zero trust, agencies understand that zero-trust implementation is a journey, not a one-time project. It is more than buying new technology — it’s about fundamentally changing the view of trust, access, and risk. By adopting this new way of thinking and developing an approach that works with the reality of agency infrastructure and mission, agencies can clear the road to zero trust.
As the founder of GovEvents and GovWhitePapers, Kerry is on a mission to help businesses interact with, evolve, and serve the government. With 25+ years of experience in the information technology and government industries, Kerry drives the overall strategy and oversees operations for both companies. She has also served in executive marketing roles at a number of government IT providers.
Leave a Reply
You must be logged in to post a comment.