A Zero-Trust model will likely be the most effective approach for governments going forward. Implementing microsegmentation — and identity-based segmentation, in particular — will be crucial as government agencies try to advance their security maturity and begin to apply Zero Trust within their environment.
Focusing on dividing their network and applications into isolated segments will give agencies greater visibility, monitoring and access control that ultimately enhance not just network security, but security across the enterprise.
Why Governments Need to Strengthen Network Defense
State and local governments face several ongoing challenges with network security.
Lester Godsey, the chief information security officer (CISO) for Maricopa County, Arizona, says too much technical debt and rapid cloud modernization due to the pandemic now compel state and local governments to bolster network defense.
“For those reasons, I really see state and local governments having no choice but to adopt a Zero-Trust approach, where microsegmentation is such a critical component,” Godsey says.
Open, flat networks with no internal impediments to lateral movement of threats make it easier for hackers to infiltrate systems. Traditionally, organizations have relied on network segmentation focused on dividing the network into different zones and using firewalls to protect applications and data.
However, greater IT complexity and hybrid cloud environments now make this approach insufficient and too complex to protect against the evolving threats organizations face. Microsegmentation is a more granular, dynamic approach to network segmentation. It allows IT teams to better control traffic between servers not just within the same network segment, but also isolate workloads and establish security policies and controls that better protect individual workloads.management system (SIEM) can be valuable for understanding this, but many agencies will likely have existing security tools and various telemetry sources they can pull from to gain more visibility into their data.
Review existing governance policies
Agencies should also review their current security and data governance policies and potentially update them to determine where to apply additional security layers and Zero-Trust protections. Revising existing data classification policies, for example, can give organizations a starting point for what assets to prioritize.Prioritize assets
Once they have a thorough asset inventory, organizations should prioritize critical data and assets based on the data they hold and the services that depend on them. These may be assets that contain PII directly, those that support core business functions, or those that feed into highly interconnected applications like backup infrastructure and other public-facing systems that provide a pathway into the network. Agencies can use data discovery tools, like software deployment solutions or a configuration management database (CMDB), to catalog, organize and prioritize assets. Once they have organized their applications and data into logical groupings, this can serve as the foundation for micro segments, Smith says.
Balance business needs with microsegmentation
As they look to implement microsegmentation, agencies should think about organizational risks as well as security risks. “I see a lot of organizations try to address the greatest security risk first, and what they end up doing is causing organizational risk, because they’re still in a learning process — a fairly lengthy learning process — of understanding the tools and processes and how to correctly microsegment without causing downtime,” Smith says. “It’s not just about saying, ‘I’ve reduced risk quickly.’ It’s about saying, ‘I didn’t break the organization in the process.’”
Onboard advanced security tools
To successfully implement microsegmentation, agencies will need enabling tools, such as solutions with robust enterprise identity and access management capabilities that validate and authenticate users, systems and applications and that dynamically allow or deny access to data. “If you don’t have a high degree of confidence in the identity — a source of truth, if you will — then you really can’t even take the next step,” Godsey says. An automated, identity-based microsegmentation solution will have these integrated capabilities. It can protect mission-critical
As state and local governments implement a Zero-Trust strategy, microsegmentation will be crucial. But for this approach to be successful, it can’t just be network-based — it must be centered around identity. To accomplish this, government organizations can develop identity-based controls and policies for workloads. Only after the identities of the software and machines have been verified will they be allowed to communicate with one another and gain access to an approved network path.1
Peter Smith, vice president of secure workload communications at Zscaler, a leading provider of Zero-Trust and cloud security solutions, says “identity is key to this entire process,” but the larger question is how to define identity beyond just a user accessing a resource.
“So what is identity? In my opinion, looking at network packet payloads cannot tell you the real answer you need. What is the software that made the connection? And what is the software that received the connection?” Smith says. “What is communicating in the cloud and data center is not a user, device, an address or protocol. It is a piece of software talking to a piece of software — full stop. If you don’t know that, then you don’t know if it’s legitimate or malicious.
” Government agencies will likely take incremental steps toward a Zero-Trust model, but as they do, they will need to increase their IT visibility and take appropriate inventory of what’s in their environment. They’ll also need to formulate more dynamic security policies — and integrate security solutions that provide identity-based, automated microsegmentation to strengthen their security posture.
Strengthening Network Security:An Action Plan for State and Local Governments
As governments look to improve network security and adopt a Zero- Trust approach, they should keep the following best practices in mind:
Assess current data and assets
Many organizations lack awareness of what assets they have from both a data and network infrastructure perspective. A critical first step for governments is to understand what sensitive data — from PCI and PII to HIPAA and FERPA — they have in their environment, along with any shared data pools.
Agencies should also consider completing an analysis of what data is coming into and leaving their networks. A security information and event applications and data in hybrid environments by creating a softwarebased identity to enhance security controls. With this technology, software is fingerprinted using cryptographic attributes and access is granted or denied based on this identity. This provides stronger protection for workloads. Additionally, the solution accelerates the deployment of microsegmentation compared to legacy microsegmentation processes that traditionally take months. It also integrates dynamic security policies that automatically adapt to changes in an organization’s environment, which can speed deployment and ensure greater protection when new applications are introduced into the environment.
Smith says a workload segmentation platform that provides policy automation is critical, considering that organizations’ IT environments are constantly changing.
“The thing that you need to be focused on when selecting your platform is, what is the day after like? What does it look like when you’re done?” he says. “You’ve built all of these micro segments. You’ve built close to perfect policies. You’ve got it all set and now change happens — and it will because you’re going to be updating and owning these policies forever more. How can you minimize the number of policies you need to manage without undermining the security outcome, because that will make all the difference in the world.”
Forging a Path to Zero Trust
Zero Trust is a multi-faceted security strategy that encompasses a range of security principles, policies and actions. To get to this desired end state, state and local governments will need to focus on strengthening user, device, network and application security,along with implementing security automation and analytics for more proactive defense. As they focus on the network security aspect of Zero Trust, they can consider implementing microsegmentation to better protect critical assets and data. They can use several security tools — from those that are already at their disposal to an identity-based microsegmentation platform — to gather the information they need to effectively prioritize their assets,formulate more granular application segments and protect workloads based on identity rather than an IP address. By doing so, state and local governments will not only enhance security, but position themselves to be more agile as they try to fulfill their mission.
This piece was written and produced by the Center for Digital Government Content Studio, with information and input from ZScaler.