Reimagining Cybersecurity in Government Through Zero Trust


“By Nick Savvides”

As the seriousness of the coronavirus pandemic became increasingly apparent early last year, the primary objective for the Federal government was to transfer work processes online, to ensure the public service could carry on with critical work without disruption. This presented a unique challenge, due to the sheer size of the Federal workforce and the amount of sensitive data those workers require – everything from personally identifiable data to sensitive national security information.

While remote working isn’t new for many Federal and State government departments and agencies, the sheer scale and inversion of on-site and remote traffic volumes is. Large scale remote working and connectivity is the starting line for the Federal government – though not the finish line. Agencies must continue to evolve from a cybersecurity perspective in order to meet both emerging and future demands created by the pandemic. The most immediate need, however, is ensuring the safety of critical data which has now been spread across a wide network as a result of teleworking. A worker’s laptop may be secure, for example, but it’s likely linked to a personal printer that’s not, and comingled with horribly insecure devices on a home network. With the realisation that insecure home networks are now a primary access mechanism, it must be assumed that employees are connected via hostile networks, rather than just a subset.

Securing the tele-workforce in a new cyber world using Zero Trust

In the midst of the pandemic, the Australia Cyber Security Centre (ACSC) realised the need for improved cybersecurity practices and created an educational document titled “COVID-19 – Remote access to Operational Technology Environments” to help secure the imminent digital upheaval while flagging the potential risks of cyber attacks (COVID-19 malicious cyber activity).  While the ACSC did a commendable job bringing to light many of the pressing cybersecurity issues in the COVID-changed world, like much of the guidance across the world at the time, the focus was on security for network and technical controls, with consideration for the people and human threats left to others.

As reported by the Office of the Australian Information Commissioner, there were 539 data breaches reported in the period between July and December 2020, a rise of 5% when compared to the previous six months. Furthermore, while malicious activity still remained the primary cause, it was revealed that 38% of these breaches were caused by internal human error. Perhaps even more concerning given the nature of its data, is the fact that the Australian government became one of the top 5 most breached industry sectors for the first time, with human error being the leading cause.

Considering the inversion of access, human error, and that many of the existing assumptions on which security architectures were built are now broken, Federal agencies face unprecedented and amplified security concerns. Federal IT professionals need to be asking questions about their existing programs, structures and security fundamentals to see if they still provide the expected efficacy in this new way of working.

Some of the key considerations are the principles of Zero Trust. While many view Zero Trust through a product lens, it is far better to look at it from a principle perspective, in particular continuous oversight, with continuous and automated decisioning that that works in all scenarios.

This means it’s not enough to make periodic, or binary, trust decisions – such as say a successful authentication, or allowed access, or rule – but instead, observe activity and add real time decisions based on the observations. For example, in a traditional binary trust decision, a user is guaranteed access to certain data based on a successful authentication and access rules. Whereas in a true Zero Trust model, these are not guaranteed. Instead a user may authenticate successfully, but then be denied access to data they would normally be allowed because observed behaviour and risk are taken into account, in addition to the access rules.

For this to work effectively, agencies must be adept at identifying real time risk in order for Zero Trust to be both robust and friction appropriate, rather than frictionless.

In this new era, they should be continuously evaluating a user’s base activity, behaviour, and sentiment using a wide variety of signals. This means not only understanding what normal behaviour looks like, but also what looks normal but is likely to lead higher risks. Armed with this information, real-time decisions can be made to prevent dangerous actions or escalate oversight even more. Behavioural analytics, which tracks how a user interacts with data and systems has evolved significantly. Growing from a simple pattern, file access and network activity analysis, and fixed rule triggers, today’s tools provide high efficacy, high accuracy understanding of user risk. This is made possible not just through modern data-science based analysis techniques, but the sheer abundance of signals.

This provides agencies with science fiction-like understanding which can dynamically adjust and enforce policy based on individual users at each event, access and action as opposed to taking a one-size-fits-all approach that hurts workers’ ability to do their jobs.

This additional continuous oversight and real-time decision-making address two of the key challenges described earlier, the human error factor and the loss of control in a remote work world. In fact, these should not be seen just as compensating controls, but actually security enhancing.

The role of the private sector

The current shift in the Federal workforce may seem daunting to some, but it represents a huge opportunity for the government and private sector alike. Over in the US, a commission into the government’s structure and organisation for cyberspace recently highlighted the importance of public-private partnerships: partnerships that can help make modernised, dynamic Zero Trust solutions the new normal if they can overcome the unique scaling challenge that Federal IT presents. This model can also be adopted here in Australia. The government must not just embrace commercial providers, but work closely with them to enable such scale, reimagine its workplace, and drive innovation.

Shifting to a Zero Trust model means improved flexibility and continuity, which can help expand the talent pool that agencies and departments attract. Most government jobs were previously limited to one location, with no option for remote work. Thus, agencies lost out on great talent that was simply in a different part of the country.

Additionally, more flexible work schedules may also boost employees’ productivity. A two-year Stanford study showed a productivity boost for work-from-home employees that was equal to a full day’s work. In recent months, the government has seen first-hand that flexible and secure remote work can happen through the novel application of existing technologies – including Zero Trust architecture.

Harnessing the cloud with SASE

As the government embraces working-from-home as a near-future reality, they are also, by necessity, embracing the greater reliance on cloud technology. The ability to conduct day to day operations from remote locations, while advantageous, does not offset the wider security risks. The use of cloud technology mandates the ability to access secure information stored in a singular location through multiple endpoints, thus creating a broader attack surface.

An elegant solution presents itself in the form of the Secure Access Service Edge, SASE, which utilises a converged architecture – making it possible to simultaneously secure information in the cloud via a converged security and network stack. While Gartner in their initial definition of SASE included Zero Trust Network Access, a software defined permitter that abstracts connectivity between an endpoint or user to a resource, there is significant scope add more Zero Trust principles into SASE.

The principles of continuous monitoring, continuous assessment and real-time decision making are ideally implemented in a SASE security model, as it converges both the signalling and control channels. In this risk-aware/risk-adaptive SASE model, agencies will be able to monitor for irregular behaviour in real-time and respond in real-time, significantly minimising potential data breaches and security issues. Fundamentally SASE provides the ability not just to have visibility, but when combined with Zero Trust, also to have automated action.

In addition to the security benefits of SASE it also allows for reduction of complexity in environments bringing benefits of simplified management, increased productivity and reduced operational costs.

The Bottom Line

Federal departments and agencies must evolve cybersecurity in a way that allows them to embrace remote work without being vulnerable to attack. It’s not enough to get government employees online; users and data must be consistently secure as well. The mass shift to telework represents a huge opportunity for the public sector – which is growing both its remote work capabilities and its potential pool for recruitment – and for those in the private sector who can be responsive to this need.

In an ideal world, IT leaders would frequently overhaul and rebuild their network security from scratch to suit the ever-changing operating environment, rather than retrofitting legacy systems to suit a broadened network perimeter. In that ideal world, it’s likely that Zero Trust principles built into a SASE architecture would be at the core of all solutions, due to its fit-for-purpose design that addresses the modern, distributed workforce.

The key to security in this new era of remote work, cloud and converged network and security is behavioural analytics combined with real-time responses.