Governments are increasingly leading the way on zero trust security

It’s often said that governments have both an opportunity and obligation to lead by example when it comes to best-practice adoption. This is very much true in the cybersecurity space, and particularly with zero trust.

Zero trust is the term for an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets and resources. It assumes there’s no implicit trust granted to assets or user accounts based solely on their physical or network location (ie, local area networks versus the internet) or based on asset ownership (enterprise or personally owned). In this way, it represents a shift in security mindset, from implicitly trusting certain devices and users to ‘never trust, always verify’.

In a zero trust model, security teams assume attackers are already inside the network and have already compromised assets. Acting as if this is true means doing everything possible to reveal and limit attackers’ movements. No user or device is trusted implicitly, even if it’s inside the firewall. Instead they must be authenticated and authorised every time. Under the principle of least privilege, users should be granted only the privileges they need to do their jobs in relevant applications, but no more.

The US Department of Defense has taken a lead in embracing zero trust as the “bold change” needed “to successfully mitigate attempts to deny, degrade, disrupt, deceive, or destroy [its] information systems” by FY27.

Several governments or agencies in Australia have similarly assumed a leadership role in backing a zero trust security architecture to overcome challenges in today’s operating environment — where having adaptable security controls that can keep pace with modern threats is increasingly critical.

In its revised cybersecurity strategy late last year, for example, Australia’s federal government suggested it would uplift Commonwealth cyber posture in part by “drawing on internationally recognised approaches to zero trust, aiming to develop a whole-of-government zero trust culture”.

At a state level, the SA Government is progressing towards a zero trust network, which it said is “contributing to more mature security posture and secure mobility for staff in regional and remote locations to access core government services”. Meanwhile in NSW, “zero-trust principles and related implementation strategies” are highlighted as a best-practice consideration “as part of a risk-based approach to cybersecurity” by agencies.

Lessons learned from deployments

These leading efforts chart a course for broader zero trust adoption among enterprises and businesses. They also provide guidance to prospective adopters around what they can expect themselves when going down a zero trust path.

Zero trust isn’t a product or solution that can be bought off the shelf or added to a security stack. It’s a fundamental shift in security culture that requires a rethink of an organisation’s current security controls. This isn’t a process that can happen overnight, and most organisations will face challenges along the way.

An early lesson is that the best zero trust security architectures are empowered by real-time network visibility.

Every organisation is a complex web of users, devices, applications, workloads and data stretching across a network environment that may include cloud servers, offices and production facilities, and remote worker endpoints. To properly defend this dynamic infrastructure, organisations need continuous visibility into east-west traffic, including encrypted network traffic. According to the April 2023 Zero Trust Maturity Model report from the US Cybersecurity and Infrastructure Security Agency (CISA), network and device visibility — two key capabilities of network detection and response (NDR) — are foundational elements of a zero trust security model.

NDR is also helpful for monitoring certain types of resources — such as operational technology devices or third-party cloud services — as part of a zero trust architecture. These kinds of devices and services can’t be monitored like regular IT endpoints such as servers or desktop computers, where a software agent is installed on them to monitor traffic flows. By understanding data flows to, from and between all assets, NDR can help organisations to better spot anomalous behaviour. High-fidelity network data also provides the visibility necessary to inventory and audit software-defined networking infrastructure.

A second lesson, as evidenced by the government implementations, is that zero trust takes time. Most organisations won’t be able to implement a pure zero trust architecture immediately. For nearly every organisation, zero trust and perimeter-based security workflows will coexist during the transition. Organisations should ensure that security solutions shared between the old approach and their zero trust implementation are flexible enough to work in both architectures.

A third lesson is that moving to a zero trust architecture is a big shift that will require many stakeholders to change processes they’re familiar and comfortable with. It can be difficult to break old habits and establish new ones, but it helps to educate everyone on why the changes are necessary. Adoptees should aim to socialise planned changes early so no one is taken by surprise and solicit feedback so stakeholders feel like they’re part of the process.

*Simon Howe is Area Vice President for Australia and New Zealand for network detection and response company ExtraHop Networks. He is responsible for further charting the company’s ANZ presence and sales growth in the enterprise security market. He also leads the region’s partner strategy, addressing a growing market need for network visibility solutions that help organisations better manage their cyber risk.

Top image credit: iStock.com/sasha85ru