But before I provide my promised update on this topic, I want to re-emphasize some of the reasons why it is so important for public- and private-sector enterprises now.
First, consider this January 2025 article from Cyber Security News entitled "100+ Vulnerabilities in LTE & 5G Infrastructure Enable Remote Core Compromise." After describing the issues, the piece ends with this:
“Cellular networks are integral to modern life, supporting emergency services, businesses and personal communication. The ability to disrupt these networks at scale represents a significant threat to public safety and national security.
"As 5G adoption accelerates, its integration with legacy LTE infrastructure exacerbates these vulnerabilities, making robust security measures imperative. This research underscores the need for proactive security measures across the telecommunications industry.
"Regular vulnerability assessments, adoption of zero-trust architectures, and stringent security protocols are essential to safeguarding critical infrastructure from increasingly sophisticated cyber threats.”
Next, we have a March 2025 article explaining why zero-trust architecture is the next big thing in security. Here’s how that ends:
“Heading into 2025, the conversation is no longer about whether the zero-trust model is necessary — it’s about what can be possibly done to further its adoption and make enterprise security stronger and impenetrable. With Gartner predicting that 60% of enterprises will embrace 'Zero Trust' as a starting point for security in 2025, it’s no surprise that zero trust is poised to fundamentally shift how we view the cybersecurity ideology.”
Third, in late December 2024, this Information Week piece describes federal and state developments on zero trust. Here are two helpful excerpts:
“In a Dec. 10 panel, cybersecurity leaders discussed 'Navigating the Federal Zero Trust Data Security Guide,' which the federal CISO and CDO Councils published on Oct. 31. The guide, developed by 70 people from more than 30 federal agencies and departments, offers a breakdown of how government agencies and organizations should think about data risks. The goal is to provide a practical guide on how to implement zero trust."
Also, “Massachusetts CIO Jason Snyder said he appreciates how the guide can move federal agencies and organizations past understanding the architecture of zero trust and doing something with it. He also said Massachusetts was at 'ground zero' as far as zero trust.
“'One of the things I really liked about the guide was its primary focus is data, and when you talk about zero trust, I think that is the right area of focus,' Snyder said during the panel. 'So, what we’re doing within Massachusetts is really driving forward from a data perspective and better understanding our data, better understanding different types of data we have, and then working on ways to protect that data.'”
WHAT NEEDS TO HAPPEN?
If you need a primer on zero trust, this CSO magazine article is not a bad place to start: "What is zero trust? The security model for a distributed and risky era."
Also, this piece from the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence can help as well: "Implementing a Zero Trust Architecture."
I really like this Forbes article entitled "18 Essential Elements Of A Robust Zero-Trust Environment." The first 11 elements listed include:
- Continuous Verification
- Least-Privilege Access
- Simplified Management
- An Understanding of Your Most Sensitive Data
- Clear Definitions of Roles
- Asset Discovery and Validation
- Management of Machine and Non-Human Entities
- An ‘Assume Breach’ Mindset
- Microsegmentation
- Shadow IT Visibility
- Dynamic, Daily Identity Governance
So where do things stand now, as we forge deeper into 2025? This webinar provides some excellent material to consider.
NEXT STEPS FOR ZERO TRUST IN GOVERNMENT
The Cybersecurity and Infrastructure Security Agency (CISA) offers resources to help assess your agency maturity in its Zero Trust Maturity Model Version 2.0.
Another article asks the question, "Is AI the missing piece for government agencies to achieve zero trust security?": “For the last year or two artificial intelligence AI has been the most talked about topic across sectors, including government agencies. While there is broad recognition of its immense promise there is equally as much conversation about its implications. From a cybersecurity perspective a central emerging question has been is AI the long-awaited breakthrough that can finally overcome the obstacles to widespread adoption of zero trust security? While the straightforward response may be affirmative, the comprehensive answer is more nuanced.”
But what happens if you don’t implement a zero-trust architecture using AI? According to this Security Info Watch piece, you may risk team safety and mission failure.
Another article claims that "Government & AI-Driven Growth in Zero Trust Architecture Market: To reach $108.1 billion by 2032."
And finally, I found this (vendor-sponsored) article to be interesting: "Xage Security launches remote CAC authentication, transforming zero trust access for DOD personnel."
Why?
“The new capability is built upon Xage’s zero trust architecture, which ensures agentless, Remote Desktop Protocol (RDP)-free access that eliminates RDP from public exposure and removes a major attack vector, reducing risk exposure; seamless user experience, where personnel can securely access mission-critical applications from anywhere using a browser-based connection; policy-based control, where access is governed by fine-grained zero trust policies, ensuring only authorized users can reach sensitive systems; and break-and-inspect security, where administrators gain enhanced monitoring and control over remote access sessions.
“'Traditional authentication mechanisms relying on physical access to Common Access Card (CAC)-secured systems present significant challenges, particularly when attempting CAC-based authentication from a remote system,' Susanto Irwan, Matthew Koehr and Vishal Gupta, Xage executives, wrote in a company blog post. 'The reliance on physical smart cards in remote environments introduces logistical and security complexities, often requiring additional complex gateway solutions which rely on insecure protocols or require thick clients installed on the user’s desktop. These challenges highlight the need for seamless and secure remote authentication solutions.'”
FINAL THOUGHTS
The momentum for implementing zero-trust architectures in government enterprises remain strong in spring 2025.
While I still lament the term “zero trust” for human trust reasons and because there is a general lack of trust in government overall, I am an avid supporter of zero-trust network architectures to help secure your enterprise data.
