Transcript:
Why Government Agencies Should Embrace Zero Trust Security
Zero trust security is gaining traction with state and local government leaders, particularly after President Biden’s May 2021 executive order aimed at strengthening data protection in government agencies. So why should government IT leaders embrace zero trust? We put this question to Chris Hein, head of customer engineering, public sector, for Google Cloud.
How do you define zero trust? And what are its primary components?
Zero trust is a concept that asks, how do attackers typically get into people’s systems? And once they’re there, how do they do damage? Often, an attacker gets inside an IT perimeter through a successful phishing attack. And, typically speaking, once they’re through the castle walls, they have access to everything. Zero trust says, “What if we assume the bad guy’s already in the walls?” And then you start adding levels of security. At every step along the way, you do a trust exercise to make sure the person accessing a resource is who they say they are — and their device is not compromised.
Why is zero trust increasingly important to government agencies?
We’ve seen a considerable rise in ransomware. Between 2019 and 2020, ransomware attacks rose by 62 percent worldwide and by 158 percent in North America, according to a 2021 report from cybersecurity firm SonicWall. It’s not just expensive — it can be dangerous. Some of these attacks have brought agencies to their knees — and disrupted critical constituent services. Zero trust gives you an easier way to address these threats. You don’t have to rearchitect everything. You don’t have to start from scratch. You can make common-sense changes that can make you better protected and less vulnerable to the most common attacks.
What’s one of the bigger hurdles government agencies face when implementing zero trust?
Budget is always going to be one. Often, it’s hard to convey to leadership why they should invest in something right now if everything’s going fine. But the cost of cyber insurance is skyrocketing. Cyber insurance policies will get less expensive for organizations that implement best-in-breed security techniques and technologies. And organizations are going to pay more if they don’t.
The New York City Cyber Command is moving toward zero trust. How do they illustrate the power of this approach?
They are the threat-hunting arm of New York City. When they were founded four years ago, they looked for the best security methodology to implement. So they made sure all their technology components, as they built out their entire technology stack, followed this assumption that an attacker was already inside the walls. At every step of the way and with every transaction, they didn’t assume a user already in the system can be trusted and has a right to be there. One practical impact of that is when the pandemic hit and the Cyber Command had to send employees home, they didn’t instantiate a VPN or change how they worked. The organization was ready because it was already working in that zero trust environment.
How should government agencies start moving down this path toward zero trust?
People want to go buy a zero trust widget. But zero trust is a methodology, not a tool. Start thinking about incremental improvements toward zero trust. Change management is important. You’re going to have to work with staff and get them up to speed. Make sure you’re selling them on why this is so important. Start really looking at your most sensitive systems and how you protect them. It’s worth making changes today. Zero trust is something you can make steps toward. And every step takes you to a more protected environment for employees and constituents.
Sponsor Content