Public sector cybersecurity & Zero Trust: creating secure government platforms

How can government agencies best keep up with the demands of the modern security environment? How can we manage the diverse array of security measures required while retaining flexibility and user convenience? The complex online ecosystems governments work with today demand equally sophisticated defences coordinating multiple tools and techniques: herein lies the value of Zero Trust principles.

The COVID-19 crisis has reminded us all of the vital role of public sector online services. The Australian government reports that its website hosting platform – GovCMS – was inundated with record user traffic during the COVID-19 pandemic as citizens sought vital health and safety information. During the heaviest traffic periods of the COVID-19 response, GovCMS received 187,000 simultaneous users, resulting in two billion hits in a month.

Over the last two decades, public sector agencies around Australia have consistently invested in cloud infrastructure and more accessible online services. Australian governments are expected to spend more than AU$15.5 billion on IT in 2022, up from 8.8% on 2021. Clearly, government IT platforms are an essential part of Australia’s civic infrastructure, so it behooves us to look closely at the role of cybersecurity in protecting these assets. There’s an adage in the security industry: ‘protect what you build.’ As public sector resources migrate to new, publicly accessible platforms, we also need to evolve our online risk management thinking.

Modernising & strengthening public sector security

As Versent’s Technical Security Director, I’ve advocated for Australian government agencies to adopt new cybersecurity practices as they upgrade their IT systems to modern cloud-based platforms. Talking with leaders in Australian public sector organisations across NSW, QLD and SA, I’ve advocated for the Zero Trust security model. It’s an evolved approach to security that’s proved highly effective for corporates like Boral, Transurban and Woodside as they upgrade their online infrastructure.

Zero Trust model has been around for decades, but it’s gained wide adoption in the last few years because of its effectiveness in the context of modern cloud-computing platforms. By adopting the Zero Trust methodology, public sector agencies can gain greater control of their public and internal networks, reducing risk and bolstering public confidence in their platforms.

Why Zero Trust is such a vital concept

From the 1960s through to the 1980s, perimeter-based IT security was the default for government organisations because they were fully air-gapped; contained within network perimeters that rarely extended beyond a single building.

In the early days of internet connectivity, many forces drove governments to think differently about security, particularly de-perimeterisation. Because online platforms don’t have defined physical perimeters, any user traffic on an online platform must be treated as untrustworthy until it’s been verified.

Figure 1: De-perimeterisation allows for more flexibility and effectiveness against internal threats and edge devices

De-perimeterisation means that we can’t rely on traditional security controls in the contemporary cloud-computing context, especially for high stakes implementations like medical records, tax and document lodgment and online payment portals.

With a substantial proportion of users needing some degree of access on their remote devices, people have come to expect convenient, easy to use online services. Government agencies undertaking digital transformation are now running key operations on SaaS systems that have flexible perimeters on the user end. Consequently, strictly enforced network security can negatively impact customer satisfaction and employee productivity. Zero Trust, as a security validation approach, verifies user accounts and interactions rather than focusing on perimeter defences, so it’s a more flexible and adaptive solution.

Making cloud security work for the future

The reality of decentralised government services and remote work means that we need to assume perimeter defences won’t work. We need a different security strategy that can remedy the complexity of online threats without impacting user experience. Zero Trust principles are a big part of the answer to this dilemma.

Zero Trust in multi-level threat modelling

In the security industry, we talk about solving problems in terms of ‘threat models.’ We identify the problem and define the required capabilities. We can then evaluate specific security products or protocols and design organisational structures that minimise risk and enhance protection. Threat Modelling helps us understand how IT systems and users — both public and internal — interact with each other at a molecular scale, revealing vulnerabilities. In the security threat model, trust must be earned by users and provable in some pre-agreed manner through the implementation of controls.

Threat models allow us to see systems in a data-centric manner and rigorously establish the trust levels required at each point in the system based on identified threats. They can also be maintained and extended over time so that we can make reasoned judgements about changing cybersecurity conditions. It’s this multi-level approach to security that makes Zero Trust such a powerful concept. With well-designed threat models and clearly articulated trust standards, we can architect systems that resist exploitation, even as they evolve and expand over time.

Figure 2: The Zero Trust security model is an ethos that encompasses all facets of a cloud ecosystem

Zero Trust implemented for a government agency

One example of Versent’s security modernisation work is a large NSW government agency providing citizens with vital online services; certifications, documentation and COVID-19 advisory information. With more than five million registered users, our client’s customers routinely share sensitive personal information across multiple platform portals. The client, therefore, needed a high degree of security vigilance without compromising flexibility and ease of access.

When the Versent team started drafting a security enhancement strategy for our client, we founded our approach on Zero Trust principles. By the end of their transformation journey, we’d implemented a completely new Identity & Access Management security system based on Zero Trust best practice standards.

The new platform we created for our client gave members of the public better access to the services they needed with a higher degree of integration and user-friendly apps, but also with much more resilient security. Additionally, our client estimates that its new security platforms cost up to 25% less to operate compared to their old system.

Sustainable, adaptive cybersecurity

Every government organisation needs an arsenal of security measures at its disposal to counter new threats as they emerge. Here we find the kernel of the Zero Trust methodology; its essential value. Zero Trust is not a single product or technique. Rather, Zero Trust is a paradigm for security, a way of using threat modelling to create security systems that evolve over time and promote safety without restricting access.

What’s the next step for your organisation?

Are your perimeters and cyber defences truly secure?

For a security assessment or to discuss your security challenges and requirements, contact a Versent advisor.

Top image credit: ©stock.adobe.com/au/adam121