Partner content
Zero trust is a great strategy but a terrible name
The monthly town hall meeting was going well until they got to the agenda item called “zero trust.” What was to be a routine request for additional funding to implement a zero-trust environment quickly became one of confusion and misunderstanding. Trust in government at all levels has continued its downward spiral over the years. So, it is understandable that alarm bells went off when they heard their government was about to trust no one.
Many forget that when the internet was first deployed, it connected a defined number of organizations, including research institutions, select federal government entities and the U.S. military. Clearly it was designed to be a valuable network amongst trusted and known players. No one could have predicted the unbelievable growth of the internet, let alone its vast network of applications, websites and commerce. Network security has always played catch-up to an online addicted society—many of whom share way too much about themselves personally. We have become complicit in demanding everything be free or low-cost, forcing service providers to rely on making up the needed revenue from advertising or social business intelligence surveilling what we spend and do.
Criminals have capitalized on the unsuspecting, raking in billions through scams, fraud, extortion and deceit. What also has changed is the number of devices or endpoints that are part of the internet, where we now have more devices than people across the globe. This makes cyber security even more essential. Today we need to build better defenses against those who are unauthorized to get in or to restrict access to certain types of files and records. Up until recently, passwords were the main access code. Passwords, however strong, present challenges of their own. As password requirements became more stringent, so too was the resistance from users. It was, and perhaps still is, all too common for workers to jot down long passwords too difficult to remember and use post-in notes by their computers for all to see.
Multi-factor authentication has quickly emerged as a necessary best practice and many insurance companies won’t even provide cyber insurance without a government requiring it. Zero trust is a security concept that assumes that no user or device within a network should be trusted by default. Instead, every request for access to resources should be verified and authorized before being granted.
In January 2022, the White House announced its federal zero trust strategy. It should be noted that the federal government sets the tone for technology policy in state and local government, too. Zero trust comes at a cost, regarding integrating new technologies as well as getting public managers and their employees on board. Zero trust, to be successful, requires a holistic approach or whole of government approach.
Here are a just a few highlights of zero trust policies:
Identity verification: Zero trust policies require users and devices to be authenticated and authorized before accessing resources. This includes multifactor authentication (MFA) and other identity verification methods to ensure that the user is who they claim to be.
Micro-segmentation: The network is divided into small, isolated segments, and each segment is protected by its own security policies. This helps to prevent lateral movement and contains any potential security breaches.
Least privilege access: Zero trust policies limit access to resources to only what is necessary for a user to perform their job. This minimizes the risk of an attacker gaining access to sensitive data or systems.
To read the complete article, visit American City & County.
