CAN GOVERNMENT GET TO
ZERO TR
36
July 2020
FCW.COM
Today’s hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide.Too bad there are obstacles at almost every turn.
At the concept-
ual level, zero trust security
seems simple: Don’t grant access just because a user is in the system. Assume compromise, and authenticate every action.
In practice, though, zero trust can be maddeningly complicated. It also can run counter to existing architectures, work practices and even federal security requirements. Yet today’s perimeterless networks and highly mobile workforces clearly need the protections zero trust can provide, so what’s an agency to do?
FCW recently gathered a group of security specialists from across government to discuss what’s needed to move zero trust into the mainstream. The discussion was on the record but not for individual attribution (see Page 42 for the list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
Zero trust, but many definitions
The zero trust security concept was introduced by John Kindervag, now at Palo Alto Networks, in 2010. Yet it was slow to catch on, several participants
said,
because zero
trust seemed to equal zero access. “If you are trying to close every door, it’s almost impossible to do that,” one official said. “And zero trust was a little bit monolithic in the initial conception.”
Implementations over the intervening decade (perhaps most notably by Google) have proven zero trust’s potential, but the monolith has been replaced by a muddle of competing services and marketing campaigns.
“It’s still very, very squishy,” one participant said. “That’s the danger of overloaded buzz phrases. It’s kind of the new AI/machine learning.”
For the roundtable participants, the core concept boiled down to, as one speaker put it, “dissolving as much as possible this notion of the strong network perimeter.” All agreed that this meant focusing on both users and data, though views varied on the exact mix.
“You protect what you think is important,” one said. “Five or 10 years ago, people felt like the network was the
U