As federal agencies modernize and move into the future with new initiatives such as AI, cloud, analytics, new infrastructure, capabilities and programs, they will need to consider how their security solutions must advance and modernize to keep pace.

Enter zero-trust for cloud security

In September 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released the Zero Trust Maturity Model and the Cloud Security Technical Reference Architecture (TRA) for public comment. CISA developed the Cloud Security TRA in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” with the goal of addressing considerations for secure cloud migrations.

The core philosophy of zero trust holds that everything and everyone inside a network is suspect; instead of focusing security efforts on the network perimeter, zero trust directs security measures toward identity—specifically the identities of users, endpoints and resources.

Principles of zero-trust

The following principles of zero-trust architecture were established by the National Institute of Standards & Technology (NIST):

  • All computing services and data sources are considered resources and are therefore subject to evaluation before access is granted.
  • Network location does not imply trust, all communication should be secure regardless of the network location.
  • Trust in the requester is always evaluated before access is granted; access to resources should be granted on a per-connection basis.
  • User authentication is strictly enforced prior to access and is dynamic; authentication is in a constant state of assessing access and threats, adapting to new threats, and continuously authenticating.
  • Policy will determine access to resources, including the observable state of the requesting system and user identity, and might include additional behavioral attributes.
  • The enterprise (or agency) will ensure that all systems, both owned and associated, are in the most secure state possible and will continuously monitor systems to maintain the most secure state possible.

Zero-trust requires a shift in mindset

The real shift with zero-trust is mindset. In the complex world of cloud and mobile technology, the old ‘castle and moat’ approach is outdated. It’s important to recognize that it’s the data that requires protection, not the perimeter.

The traditional model of protecting the perimeter assumes that anything inside the perimeter can be trusted. With zero-trust, nothing inside or outside the perimeter is trusted. Identity verification must be complete, apply to everything, and run continuously.

This shift in mindset also calls for a completely different approach to security. This means implementing new kinds of security solutions with the capabilities agencies need to create a zero-trust security posture.

It’s worth noting that you may never achieve a complete and true zero-trust security posture, but there are initiatives that you can launch immediately that will bring you much closer to the desired state.

Features of a zero-trust security solution

A zero-trust network access protocol centralizes and abstracts the mechanisms of access so security teams can monitor and control them. Access is granted by the system based on the identity of users and their devices, along with other contextual data such as location, time, date, historical usage patterns, and device information.

Using access and identity to manage security creates a more resilient and security environment that is much easier to monitor and manage.

A good example is the Cisco zero-trust networking security model. It establishes trust using continuous authentication and monitoring of every network access attempt. This is a very different approach than the traditional model, which assumes that everything in the corporate network can be trusted.

Help with zero-trust

As agencies modernize their infrastructure to keep pace with federal mandates and new technologies like AI, cloud and IoT, they will need to strengthen their protocols and procedures to meet the challenges of the modern threat landscape. With a zero-trust approach to security, you can meet the security challenges of today and in the future, creating a more secure and future-proof environment.

If you have questions about zero trust and would like guidance regarding security solutions and how to implement zero trust procedures and protocols, please reach out to your Sirius Federal representative or contact us, and we will be happy to connect you with one of our security experts.

Related Blog Posts

See All Blogs

Key Challenges with DevOps for Federal Government

Federal agencies are feeling the pressure to modernize their software applications and network infrastructure with a more cloud-based or cloud-first approach.

Migrate to the Cloud With Confidence With Our Bridge to the Cloud Approach

Sirius Federal offers a Bridge to the Cloud approach to help agencies navigate every step of the cloud migration process, whether moving to a private, public or hybrid cloud.

How Zero-Trust Authentication Impacts Your Agency’s Modernization Plans

There was a time when all it took to keep your agency protected against data breaches and cybersecurity threats was a robust perimeter that stood between everything in your enterprise and everything outside. Threats had to break through security controls…

Achieve Zero-Trust Security With Micro-Segmentation

Learn how you can take your federal security controls to the next level with micro-segmentation and a zero-trust security model.

Network Security in a Remote World

Five Tips to Help Federal Technology Teams Keep Their Networks Secure with a Remote Workforce With the Office of Management and Budget’s (OMB) mandate for federal agencies to implement policies and procedures to slow the spread of the COVID-19 virus,…

Protecting Federal Agencies from Phishing and Ransomware Attacks

As we spend an increasingly large percentage of our time online, we’ve become aware of the malicious tactics used to trick us into downloading malware or betraying our credentials. However, when we’re not paying attention, serious trouble can take us…

Using the CDM Program to Keep Up with Compliance in the Digital Age

As the Homeland Security Department’s Continuous Diagnostics and Mitigation program enters its seventh year, its positive impact on federal agencies' cybersecurity is clear. Since implementation, Homeland Security has been able to field and navigate over 35,000 security incidents, and fiscal…

Optimizing Edge Computing for Federal Agencies

For federal agencies today, processing the massive amounts of data collected on a daily basis provides an unprecedented opportunity. The insights gained from analyzing this data can change the way we deliver citizen services on every front. But, there is…

4 Security Lessons Federal IT Pros Can Teach the Private Sector

Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an…

NextGov: Security Doesn’t Have to Be a Sticking Point in Cloud Migration

Despite the innovations and efficiencies that come with cloud migration, only about 20 percent of federal agencies have migrated their applications and data to the cloud. Why such a low adoption rate? One reason is the challenge of securing data.…

Fifth Domain: How Agencies Can Protect Legacy IT As They Modernize

Cybersecurity threats grow more sophisticated every year. And while the federal government has pushed forward with efforts to modernize IT, some legacy systems pose unique challenges. Often, these systems remain static even as the landscape around them continues to change.…

What You Need to Know about Data Privacy

Data privacy is the crossroads of confidentiality and integrity. When data is shared, either voluntarily or involuntarily, there’s an expectation that the collected information will be kept confidential. In general, data privacy is really about identity—social security numbers, credit card…

Cyberattacks and the DHS Directive – It’s Time for your Agency to Improve Your Authentication Protocols

By now CIOs across the federal government have seen Emergency Directive 19-1 issued by the Department of Homeland Security, which was issued in response to cyberattacks on DNS infrastructure for several executive branch agency domains. In these attacks, outsiders compromised…

NextGov: Prioritizing for Migration to the Cloud

The Cloud Smart strategic framework for cloud migration has given federal agencies some reassurance that their transition to the cloud doesn’t have to be focused solely on a timeline that could disrupt current processes. If carefully planned, the transition will…

NextGov: The Boldest Predictions for Federal Technology in 2019

Everyone is talking about artificial intelligence right now—it’s the buzz of the industry. But not many people fully understand what AI and machine learning can do. Jason Parry, our VP of Client Solutions, shares his prediction on the impact artificial…

Covering Your Blind Spots

Visibility and security are paramount to a network because you can’t have one without the other. As technology develops, and our reliance on internet connectivity grows, new road blocks appear that make visibility harder to achieve. How can CSOs adapt…

GCN: Protecting Critical Internet Infrastructure From IoT Device Risks

As the infiltration of internet-connected devices into nearly every aspect of daily life continues to expand, so do the vulnerabilities and security risks they create for their operational networks. That includes the devices and networks used by federal agencies that…

Keeping Your Agency Secure in the Cloud

Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily. It’s a situation that doesn’t change after organizations adopt…

A Bridge to the Cloud

For federal agencies, the move to the cloud can be a daunting task. CIOs face an array of challenges in making the transition — from worries about data security, to concerns for budget and resources, the task requires a concerted…

GCN: Securing Data in the Cloud Requires Planning, Constant Vigilance

Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.”  How do they move legacy systems to the cloud? How do they choose the…

TechTarget: IBM Business Partners Mull Benefits, Risks of Red Hat Acquisition

IBM business partners have begun recalibrating strategies in the wake of the vendor's announcement that it would acquire open source software vendor Red Hat. IBM, which plans to purchase Red Hat for $34 billion, sparked a wildfire of questions this…

NextGov: It’s Time to Tackle the Problem of Unapproved Cloud Apps to Keep your Agency Secure

It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts…

GCN: Why Blockchain Belongs in Government

Anyone with a finger on the pulse of the latest cybersecurity trends has probably noticed an increasing number of contributions to the blockchain conversation. The dialogue around blockchain, while loud, clear and growing, has been largely undirected for the past…

Federal Times: Can Industry Bridge the Government Cyber Skills Gap?

Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address…

CSO: Getting the Most out of Your Security Budget

There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce. Security…

NextGov: The Time to Automate Security is Now

Cybersecurity threats are constantly evolving. Unfortunately, federal IT teams often find themselves low on resources, which means being proactive to combat them is a pipe dream. So how can leadership focus on strengthening their agency’s security posture when they spend…

CSO: Ways to Improve Your Security Team’s Response Time

When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated…

3 Ways to Unleash the Power of Your Next-Generation Firewall

We more or less abandoned pagers more than 15 years ago. Fax machines have gone from ubiquity to near obsolescence. And floppy disks? Many of the most recent generation of tech users have never even held—let alone inserted—one. And yet,…

GCN: 3 Considerations Before Moving to the Cloud

Despite the urgency of IT modernization and the federal government's cloud-first mandate, many agencies unfortunately still find themselves lagging when it comes to cloud adoption. While cloud migration is a massive endeavor, it doesn’t have to be unmanageable, let alone…

Cisco Live 2018: Vendor Opens Management Console to Partners

In this article for TechTarget, Sirius Federal's VP of Client Solutions Jason Parry weighs in on the new opportunities arising from Cisco DNA Center. In Cisco's latest nod to software, the company has opened its Cisco DNA Center to developers,…