Zero trust is a great strategy but a terrible name

The monthly town hall meeting was going well until they got to the agenda item called “zero trust.” What was to be a routine request for additional funding to implement a zero-trust environment quickly became one of confusion and misunderstanding. Trust in government at all levels has continued its downward spiral over the years. So, it is understandable that alarm bells went off when they heard their government was about to trust no one.

Many forget that when the internet was first deployed, it connected a defined number of organizations, including research institutions, select federal government entities and the U.S. military. Clearly it was designed to be a valuable network amongst trusted and known players. No one could have predicted the unbelievable growth of the internet, let alone its vast network of applications, websites and commerce. Network security has always played catch-up to an online addicted society—many of whom share way too much about themselves personally. We have become complicit in demanding everything be free or low-cost, forcing service providers to rely on making up the needed revenue from advertising or social business intelligence surveilling what we spend and do.

Criminals have capitalized on the unsuspecting, raking in billions through scams, fraud, extortion and deceit. What also has changed is the number of devices or endpoints that are part of the internet, where we now have more devices than people across the globe. This makes cyber security even more essential. Today we need to build better defenses against those who are unauthorized to get in or to restrict access to certain types of files and records. Up until recently, passwords were the main access code. Passwords, however strong, present challenges of their own. As password requirements became more stringent, so too was the resistance from users. It was, and perhaps still is, all too common for workers to jot down long passwords too difficult to remember and use post-in notes by their computers for all to see.

Multi-factor authentication has quickly emerged as a necessary best practice and many insurance companies won’t even provide cyber insurance without a government requiring it. Zero trust is a security concept that assumes that no user or device within a network should be trusted by default. Instead, every request for access to resources should be verified and authorized before being granted.

In January 2022, the White House announced its federal zero trust strategy. It should be noted that the federal government sets the tone for technology policy in state and local government, too. Zero trust comes at a cost, regarding integrating new technologies as well as getting public managers and their employees on board. Zero trust, to be successful, requires a holistic approach or whole of government approach.

Here are a fust a few highlights of zero trust policies:
Identity verification: Zero trust policies require users and devices to be authenticated and authorized before accessing resources. This includes multifactor authentication (MFA) and other identity verification methods to ensure that the user is who they claim to be.

Micro-segmentation: The network is divided into small, isolated segments, and each segment is protected by its own security policies. This helps to prevent lateral movement and contains any potential security breaches.

Least privilege access: Zero trust policies limit access to resources to only what is necessary for a user to perform their job. This minimizes the risk of an attacker gaining access to sensitive data or systems.

Continuous monitoring: Zero trust policies require continuous monitoring of user activity and network traffic to detect any suspicious activity. This includes real-time monitoring of logs, network traffic and user behavior.

Automation: Zero trust policies rely heavily on automation to manage access and security policies. Automated systems can quickly detect and respond to security threats, reducing the risk of a successful attack.

Overall, zero trust policies help organizations better protect their sensitive data and systems by assuming that every user and device is a potential threat and requiring verification and authorization for every access request.

We know that there is still resistance to zero trust policies in that many believe that the policies make it more difficult to access data and impose too many roadblocks which can lead to taking more time to accomplish a task. We also know that some public managers have requested exemptions for themselves so that they can be “more productive” and have more immediate access to their systems.

Of course, such exceptions pose some serious consequences. If elected officials and senior managers opt out of zero trust policies, it can have significant consequences for the organization’s security posture. Here are just a few examples:
Weaker security: Zero trust policies are designed to provide a strong security posture by assuming that all users and devices are a potential threat. By opting out of zero trust, elected officials and senior managers may be weakening the organization’s security posture and making it easier for attackers to gain access to sensitive data and systems.

Increased risk of breaches: Opting out of zero trust policies can increase the risk of breaches and other security incidents. Without strict identity verification, micro-segmentation, least privilege access, continuous monitoring and automation, it becomes easier for attackers to move laterally within the network and gain access to sensitive data and systems.

Non-compliance with regulations: Many industries are subject to strict regulatory requirements around data privacy and security. Opting out of zero trust policies may make it difficult for organizations to comply with these regulations, potentially leading to fines, legal action, and damage to the organization’s reputation.

Loss of trust: If elected officials and senior managers opt out of zero trust policies, it can erode trust within the organization. Employees may feel that their security is not being taken seriously, leading to decreased morale, increased turnover and reduced productivity.

So, let’s come back to where we began. Zero trust has become necessary, no matter the extra steps one must take to verify an identity or access rights. But it is also a term that belies a fundamental issue of public trust. Yes, the public expects (or wants) their local governments to protect their data and the government entity itself, but, at the same time, trust itself is being challenged at every level of government. Government officials need to be careful in explaining the need for zero trust policies and at the same time avoid giving the impression that government doesn’t trust its own people. Hence perhaps we need to start referring to zero trust policies as “secure trust practices.”

Dr. Alan R. Shark is associate professor for the Schar School of Policy and Government, George Mason University, and executive director of the Public Technology Institute (PTI) in Washington D.C. Shark is a fellow of the National Academy for Public Administration and co-chair of the Standing Panel on Technology Leadership. A noted author, his latest textbook, “Technology and Public Management” was recently published. He is also the host of the popular bi-monthly podcast, Sharkbytes.net.