Zero Trust in a Post-Pandemic World
The case for implementing a Zero Trust strategy has never been greater. Cyberattacks are increasing in scale and severity with an attendant growth in sophistication. Most organizations agree: The post-pandemic world requires a paradigm shift in how we approach cybersecurity. In fact, in 2022, 72% percent of organizations were either in the process of adopting Zero Trust or had already adopted it.1
What is Zero Trust?
At a high level, Zero Trust requires all users (inside or outside the network) to be continuously authenticated and authorized to gain network access. The Zero Trust framework is designed to protect the modern digital ecosystem by assuming there are no network edges.
The Zero Trust strategy specifically addresses many of the post-pandemic challenges we’re facing related to digital transformation, remote access, shadow IT, and others.
The US Department of Defense weighs in
At the end of 2022, the Department of Defense announced its “Zero Trust Strategy and Roadmap.” The DoD has set an ambitious goal to get the department of over four million people to a Zero Trust architecture by fiscal year 2027.
When announcing its new plan, the Pentagon cited the need for a plan that “goes beyond the traditional perimeter defense approach”2 and can support millions of authorized users, including people who require access to DoD networks working from home.3 It’s an ambitious goal, yet operationalizing a Zero Trust strategy is rife with challenges. Let’s consider two any organization will face: technical complexities and cultural challenges.
Pre-pandemic, most people worked in and authenticated from an office. It was an immediate red flag if you saw somebody log in from a different part of the world.
Now, however, employees work all over the world, often logging in from personal devices from different locations. Depending on the policies, it’s unlikely you can simply label a device ‘bad’ just because it is not recognized. This creates layers of nuance for security professionals trying to determine if a login is real or malicious as they seek to implement Zero Trust without blocking valid connections.
Partners, particularly foreign and industry partners located worldwide and connecting to your network, add to the technical complexity. Your organization inherits all your partners’ risk once they connect to your system. Not only do you have to consider the authentication complexities of a foreign network, you also need to manage their post-pandemic policies.
The DoD is investing in and moving to the cloud, which offers many benefits. It also presents new challenges specific to cloud permissions, resources, users, etc. This adds yet another layer of complexity to implementing Zero Trust.
There are numerous cultural barriers to overcome for a successful Zero Trust implementation. Frankly, supporting Zero Trust from a cultural standpoint is arguably the hardest component of a successful implementation.
Fear of obsolescence: Many people fear change and worry about obsolescence. They think new technology or protocols like Zero Trust will take their job away, rendering them redundant.
Need for control: Especially in the public sector there is a sense of needing control—explicit control—over a system or an ecosystem. This is especially true in the intelligence community where there is inherent distrust of everything and everyone. Role-based access control has been proven to work. RBAC can be difficult to implement, however. When access is taken away, people can feel insulted. The need for absolute control is a major friction point for the implementation of Zero Trust because, by definition, you have to remove humans from the system to be successful.
Remote work is inherently more dangerous: The notion that people working inside of a brick-and-mortar institution are somehow safer and less of a threat than people working remotely is false. Attackers use different methods to attack a brick-and-mortar worker versus a remote employee, but they’re both threats in the end. Humans, not software, are the biggest threat. A person may be unwitting and have no malicious intent, but their ignorance and lack of understanding of threats make them a target, no matter where they work.
Hubris: As much as we want to believe we are all objective and committed to whatever it takes to ensure security, hubris is a fact of human existence. Hubris impedes the work of change—in government or the private sector—and makes operationalizing Zero Trust incredibly difficult.
Is operationalizing Zero Trust impossible?
While difficult, operationalizing Zero Trust in this post-pandemic world is not impossible. First, recognize that no “cookie cutter” approach will work. Instead, customize a Zero Trust implementation strategy, considering any technical requirements or cultural perspectives unique to that organization.
A custom program will be more successful in educating the workforce, raising awareness of how Zero Trust benefits them. Fight the fear of obsolescence by showing how Zero Trust can free up employees to do more meaningful work. Combat hubris by describing how dangerous human access can be, regardless of location, position, or education.
Overcoming the cultural challenges to a Zero Trust implementation requires a top-down approach. Everyone must agree to give up some control and recognize that the old ways are insufficient. Just because something has always been done doesn’t mean it should continue. Trust the strategy!
Work with a partner that understands your organization. A key strategic assumption within the DoD Zero Trust strategy assumes increasing global and industry collaboration, yet this requires the single most important component.
At [redacted], we recognize and respect the unique situation each client (whether public or private) faces. With an unparalleled team of cybersecurity experts with elite backgrounds in both government and the private sector, we understand the specific challenges a Zero Trust implementation poses. We take a custom look at your organization’s use case and develop a method for operationalizing Zero Trust without interrupting your business.
Don’t allow the significant challenges of a Zero Trust deployment to derail your strategy. With the right partner and a commitment to positive change, every organization can be successful. Contact [redacted] today.
As a former senior government official whose career spans three decades in the Department of Defense, the U.S. Department of the Navy, and the Federal Bureau of Investigation (FBI), Tim Kosiba brings a profound understanding of public sector cybersecurity, both in practice and in the policy. Tim served as a Deputy Commander within the Department of Defense and was responsible for successfully implementing the National Security Agency’s (NSA) Cyber Security Policy. Kosiba frequently represented the NSA and U.S. Cyber Command at The White House and other government-sponsored deliberations relating to cyber activities. A cyber forensics expert, Tim served as a technical lead for the Naval Criminal Investigative Service (NCIS) at NCIS HQ and as a certified master forensic examiner with the FBI Laboratory’s Computer Analysis Response Team (CART). He has also contributed to academia, serving as an adjunct faculty member with Johns Hopkins University and teaching forensic science and digital media forensics at the Carey School of Business.