We’ve found in speaking with many of our partners in the Federal government that people are worried about timelines for implementing Zero Trust. Brandon emphasizes that the overall goal of Zero Trust is to have a better security posture. Instead of rushing to tick off boxes, he recommends a more methodical, thoughtful approach. Taking the time to set up a solid plan to meet Zero Trust will achieve greater results in the long run.
Federal employees are also questioning whether they’ll need to purchase additional software to practice Zero Trust. It’s not uncommon to see content from vendors promising to solve every Zero Trust-related challenge. Brandon explains that the answer to this question comes down to what your network looks like, its complexity, and whether you have the necessary tools.
Consider, for example, authentication. While the Department of Defense does an excellent job with multi-factor authentication, there are servers, virtualization systems, and disparate mission systems that don’t allow for it.
Instead of trying to find a multi-factor approach to fit these systems, you might say, “Oh, it doesn’t qualify for multi-factor, so let’s just use a username and password.” The problem here is that the system can end up being compromised, and the attacker is able to pivot from there.
When it comes to Zero Trust, if you have a system that’s able to connect those authentication systems, or you have a hardware token for multi-factor on another system, you won’t need anything new. Instead, you’re enabling the configurations to make that happen. The other option is to identify areas where you may need a vendor’s support. The benefit? You can come to potential vendors with your requirements on the front end.
