A guide to zero trust implementation: 5 steps to get your agency moving to better cybersecurity

Zero trust is a framework for cybersecurity that seeks to verify trust at every point of entry and every digital interaction for data and workloads traveling in a network.

For federal, state and local government agencies, the end to implicit trust of everything that is connected to a network should better enable the advancement of digital transformation efforts through stronger authentication and visibility from the edge to the cloud. Below is a guide to a zero trust implementation that government agencies can use to understand how to implement zero trust.

In response to the growing threats (See Verizon’s 2023 Data Breach Investigations Report for the Public Sector and 2023 Mobile Security Index for the latest insights) and a September 30, 2024 deadline for zero trust objectives, the federal government is rapidly moving to a zero trust cybersecurity model and state governments are evaluating federal policies to craft their own strategies.

When implemented, a comprehensive zero trust strategy will enable government agencies to more rapidly detect, isolate and respond to today's complex cyber threats. However, implementation of zero trust still draws questions from technology leaders dependent on legacy systems about the best ways to get started.

Here are some practical steps federal and state agencies can take to simplify their transition to a zero trust framework.

First, take a look at your agency's current mode of operation (CMO) and begin mapping how your agency meets the capabilities using a Zero Trust (ZT) capability model. For example, Verizon has developed a Zero Trust Capability Model that groups forty-eight (48) core capabilities into eight (8) pillars: User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, and Orchestration and Automation. This ZT capability model was created using industry feedback and reference architectures that were published by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense (DOD), and the National Institute of Standards and Technology (NIST).

Many organizations are already in the middle of transitioning to a zero trust model. Your agency may have already purchased certain technologies or adopted specific processes related to zero trust, so take an inventory of what you have. Then, highlight where these technologies or processes are in the implementation process—not implemented at all, partially implemented and fully implemented.

If you discover your agency has purchased solutions it has not yet fully implemented, then you can consider those solutions low-hanging fruit. Completing their implementation will help you make quick and substantial progress toward your zero trust implementation.

Government agencies may be tempted to purchase and implement a new technology right away, believing it is essential to do so in order to complete the transition to zero trust in a timely manner. That said, it will be more effective in the long run to first map out the agency's current zero trust capabilities, conduct an analysis of alternatives (AoA) involving three feasible solutions and then lay out a full business case before moving to the final steps of procurement and implementation.

For example, if an agency is considering adopting a SASE solution, it should first map its current capabilities to a zero trust capability model such as the one mentioned above. Then, share that mapping information with three solution partners. The purpose will be to get their assistance in determining whether their solution can meet the agency's remaining zero trust requirements and, in doing so, fill the gaps in coverage that were identified in Step 1 above.

This last step in the guide to zero trust can be carried out at the same time as Step 4, and it also involves partnering with SASE solution providers. In this step, the agency will create a proof of concept (POC) that addresses its top use cases. It is often possible to complete these proofs of concept directly in a special POC environment within the cloud solutions that the agency is considering. Assuming the POC is successful, it can then be easily transitioned from the POC environment to a production environment. This approach eases the process of zero trust implementation.

Since zero trust is a framework for cybersecurity rather than a specific product or service, there is no single solution that can fully enable zero trust at a government organization. However, there are certain solutions that can support a zero trust approach to cybersecurity and streamline the path toward a zero trust implementation.

For example, Verizon's Zero Trust Dynamic Access (ZTDA) delivers a zero trust cloud security solution for agencies and their employees. It enables secure access to the open internet, cloud applications, on-premise applications, and cloud services. Acting as both a first and last line of defense, ZTDA helps protect users, applications, and data on any device, while maintaining a high standard of performance and eliminating the need to backhaul traffic or use virtual private networks (VPNs) to keep connections secure.

Verizon Secure Cloud Fabric is an innovative solution designed to provide customers with a reliable and flexible private cloud infrastructure that can evolve as their consumption needs change and as data usage policies evolve. The secure cloud fabric is integrated with the network to provide a structured network fabric between the customer and cloud service providers, as well as the ability to privately connect to other agencies' environments, including data lakes. It provides a secure and structured network environment that helps meet today’s network requirements while also helping to ensure that the future needs of each agency’s network are supported.