Stan Lowe, CISO, Zscaler, examines the six core capabilities that are needed for security modernisation in government agencies, particularly now with increasingly complex hybrid environments and more mobile work
Given the current need to support a remote workforce, security modernisation is currently top of mind for most organisations. Coupled with increasingly complex hybrid environments shrinking IT budgets, unfortunately, the cost to maintain ageing legacy infrastructure continues to grow.
The public sector has long been seen as one that clings on to legacy infrastructures and trailing behind private businesses when it comes to technology innovation. However, over the past few years, there’s been a huge amount of activity and modernisation of public sector infrastructures, much of which has gone unnoticed or unappreciated by those outside the government departments themselves. This refocusing on updating technology has paid dividends during the current crisis, and the public sector has been able to face up to this challenge and show greater resilience than many private sector industries.
Indeed, to combat rising costs, many public sector organisations have already turned to cloud-based services with the goal of enabling posture-driven, conditional access and zero-day threat sharing.
However, there is no one tool to provide all of these capabilities, so public sector organisations should look to a zero trust network access (ZTNA) model to provide ubiquitous security policies based on identity—meaning that users will have the same experience anywhere they connect. This provides consistency within organisations, giving essential workers the ability to seamlessly access applications and data in cloud environments and data centres, while IT administrators balance security and control.
There are six core capabilities of zero trust that public sector organisations can adopt to modernise their security environments:
Seamless direct access to external and internal applications
Zero trust gives users direct access to external and internal applications and data, remotely and securely. Rather than backhauling traffic through virtual private networks (VPNs), the zero trust model reduces traffic and latency, while ultimately improving the user experience. As remote work continues to expand, the public sector increasingly needs the ability to connect to data in data centres and clouds from their homes.
Access policies should correlate between user, device, application, and other aspects of the environment. As organisations build policies for context-aware access to data and information, they should include vendors, architects, users, privacy teams, and compliance teams in the conversation. It is important to have representation from all the teams involved to form a symbiotic relationship and a united organisation, especially for public sector teams who often operate in siloes.
Users should only be given access to resources and applications necessary for their job functions. By adopting a zero trust security model, only authenticated users will be granted access to applications they are specifically authorised to use. As attack surfaces grow with more distributed environments, zero trust can further limit east-west traffic on the network so that users cannot reach applications they were not intended to reach.
Flexible deployment across all users and locations
A cloud-based zero trust service can provide a scalable environment without placing a significant burden on the already resource-limited public sector IT team. Organisations need different policy requirements that allow for flexibility of deployment to be able to deploy these tools as quickly as possible. It should be seamless to scale capabilities up or down, without having to deploy new on-premises hardware or additional licensing.
To get started, teams should identify their most significant pain point and define a zero trust use case that addresses that issue. Then, they can implement multiple use cases for a solution that spans multiple scenarios and user communities.
Seamless user experience
It is important to focus on the user experience and make the security and access as transparent as possible, especially when accessing critical agency applications and key collaboration tools. Many public sector still operate legacy VPNs, which backhaul traffic through the security stack, creating a poor user experience and significant latency—especially with the rise in remote work. Instead, zero trust connections provide direct, secure access to applications in any location.
Comprehensive visibility and troubleshooting that enables rapid user-issue resolution
Zero trust provides IT administrators with a centralised view to manage, administer, and log users in one place. With full visibility and control into the distributed environment, zero trust technologies improve administrators’ visibility and troubleshooting to enhance the user experience and promote efficiency within the agency.
Security and compliance tools to mitigate cyber threats and protect applications and data
By using cloud-based security and compliance tools as part of a zero trust security model, public sector organisations can protect data and applications without having to go through frequent updates. This can free up time for teams to focus on more critical needs and on improving policies, instead of patching security holes.
As technology evolves, cloud and mobility are disrupting and accelerating digital transformation. Remote work requires a modern approach to security, and cloud-delivered security access service edge (SASE) models transition security from network-centric controls and to user-centric and application-centric security, designed to support highly distributed teams working beyond the traditional network perimeter.
As our “new normal” places a growing spotlight on the public sector, having these core capabilities in place when adopting new security tools and technologies with will mean organisations can focus on delivering on the objectives at hand and have one less worry when it comes to protecting their teams.