Most Agencies Aren’t Implementing Zero Trust from Scratch
The biggest challenge agencies face with their zero-trust implementations is that these are not brand-new installations; they’re occurring atop existing networks, which is like building an airplane in flight. Thus, agencies must decide which technologies to integrate with their existing IT environments while remaining within their budgets.
Many vendors are testing zero-trust capabilities, but agencies won’t know which ones they need until they assess their current IT environments — starting with their data. Data sits at the center of any zero-trust model because agencies must identify what data needs to be secured, where it’s stored, what is safeguarding it, who needs access to it and when it needs to be available.
This step is especially crucial in light of the debt ceiling deal because it will help agencies prioritize where to buy new IT equipment or software packages and where to save money by maintaining existing infrastructure. It will still take agencies several years to upgrade their infrastructure and deploy stronger authentications as part of their zero-trust implementations. Unlike the Space Force — a new agency that intends to adopt a secure, modern operating platform wholesale — most agencies have significant technical debt and regulatory requirements beyond zero trust.
One agency, for example, had a vendor stand up its network but now has no information about what data is where, so it must hire a second vendor to handle the factfinding before it can begin modernizing its legacy systems. Collaboration and information sharing issues continue to hamper zero-trust implementations.
DIVE DEEPER: Agencies finally have the resources to scale DevSecOps.
Test Desired Zero-Trust Solutions
Meanwhile, technologies and security frameworks continue to evolve, not waiting for agencies to play catch-up. Generative artificial intelligence such as ChatGPT is the latest example of new technology employees must learn. AI has been a part of security for several years now, with talent hard to come by.
Should federal cyber budgets see reductions, cyber talent will be the first area to suffer because agencies will have to focus funding on “keeping the lights on.” Despite incentives, such as the Pentagon’s and Department of Homeland Security’s training programs, top talent that agencies can’t afford will leave for the private sector.
Even industry is struggling to combat ransomware, which targets data and which zero-trust security is designed to render ineffective.
For these reasons, agencies would be wise to seek out industry partners that can build flow charts showing where their data should live and which policies affect it, while providing expertise on ideal zero-trust solutions. CDW partners with multiple vendors, understands what each is capable of and has lab space to test those capabilities to ensure an agency’s desired outcome in advance of deployment.
Agencies have spun up web applications in the past only to find their data was mined or stolen in its infancy. CDW runs tests with simulated data or mission sets to identify leakages without agencies risking a data outage or data loss that would impact their customers.
Amid budget constraints, testing to ensure zero-trust technologies meet an agency’s policies and procedures is key.
This article is part of FedTech’s CapITal blog series.
