As hybrid work continues to be the norm, cybersecurity and IT teams within the U.S. government must grapple with how to align recently adopted flexible work models and the continued protection of the nation’s missions. Constant threats like cybercrime, ransomware, and overexposed data make it critical for agencies to review their security model and move toward a more modern choice like Zero Trust.
As a kickoff to our Zero Trust and Your Agency’s M365 Collaboration series, this article will introduce you to the following topics:
Zero Trust architecture is a type of modern security architecture. Unlike traditional security approaches, which assume implicit trust for those inside your network, Zero Trust Architecture (ZTA) follows the principle “never trust, always verify.” While not a new strategy (it was originally introduced by a Forrester analyst in the late 2000s), the recent increase in cloud adoption and hybrid work has resulted in a sharp uptick in the number of enterprises following Zero Trust approaches to their security. In fact, a Microsoft report found 76% of organizations have at least started implementing a Zero Trust strategy.
The US Federal Government is no exception. After 2021’s inclusion of ZTA in the President’s Executive Order on Cybersecurity, the Federal Government released M-22-09, introducing a Federal Zero Trust architecture strategy in an effort to combat increasingly sophisticated and persistent cyber threats, which threaten public safety and privacy. All Federal agencies are mandated to meet specific cybersecurity standards and achieve specific Zero Trust security goals by the end of the fiscal year 2024.
There are many scholarly articles on the definition of Zero Trust, but briefly, this modern approach to security can be laid out in 5 primary pillars:
Network: This traditional security approach focuses on keeping bad actors out of your environment; if they can’t get in, they can’t attack you.
Device: Building off the network, devices (often called endpoints) security ensures that the hardware connecting to your network is safe. This is especially important as more organizations adopt a “bring your own device” (BYOD) model for computer and cellular technology.
Application: From the code to the visibility (anytime, anywhere), all applications must be secured to ensure there are no backdoors, be them purposeful or by negligence.
User: User authentication, recently paired with Multi-Factor Authentication (MFA), is the most popular concern for this pillar. However, in recent years, single-identity, audit history, and authorization have become key to the success of this pillar in ZTA as well.
Data: Data and protecting our nation’s key information is what ZTA is all about. Successful protection of data requires metadata, classification, and segmentation.
Incorporating these pillars into your framework can feel daunting, particularly knowing Zero Trust architecture cannot be implemented without major security practice changes. However, the approach has been proven effective, and with the right solutions helping to streamline these changes, your environment can be more secure with reduced security complexities and operational overhead.
To better understand how to implement ZTA, you need to understand why it’s necessary. Historically, a typical security model that prevailed was “If they can’t access my network, they can’t access our content.” That’s why most security best practices favored perimeter-based approaches, such as firewalls or browser isolation systems. In fact, the network and device pillars exist for this exact reason, as these are still valid as part of your security approach today.
These strategies were the first line of defense, focused on securing systems and warding off threats as they entered the network. In these practices, if your first line of defense was effective, you didn’t need a second; you could rest assured your applications, workspaces, and data were safe with minimal additional efforts.
While these methods worked back then, when most environments, whether physical or digital, were well-defined, it doesn’t today for two key reasons. The beauty of modern collaboration tools, such as Microsoft 365, is that your team can work from anywhere, on any device; but this is its own curse. This flexibility opens the door to remote users, “bring your own device” practices, and more people working in shared, non-private spaces, introducing a large number of vulnerabilities and risks that traditional strategies can’t combat.
Additionally, the assumption that anyone on the inside of your network is trusted and anyone on the outside is not is outdated.
Under traditional security practices, these insider threats are free to access and infiltrate your sensitive information due to a lack of granularity in security controls. As the principle of least privilege recommends, only those who need to know should have access to your sensitive information.
Modern workspaces call for modern security practices. Adopting innovative security approaches like Zero Trust is critical to safe collaboration.
Why the Workspace Is the Sixth Pillar of Zero Trust
Now that we understand why Zero Trust Architecture is necessary for your agency’s security, let’s talk about how to implement it. The National Institute of Standards and Technology (NIST) released guidance on adopting Zero Trust as a Federal agency and provided deployment models that help you lock down access and protect your information. Their recommendations encourage you to cover all data sources, secure communication, and eliminate blanket assumptions.
This last piece is key; blanket assumptions about the security of your collaboration spaces may have been the cornerstone of perimeter security, but could now be your downfall. We have seen firsthand that securing your network or device will fail as a security measure; from a malicious insider stealing and selling secrets to a negligent employee unintentionally compromising their own credentials, insider threats are lurking everywhere. You can no longer assume your content is secure just because your network is.
Comprehensive approaches to Zero Trust expand protection beyond the network and device. Cybersecurity & Infrastructure Security Agency (CISA) identified five main pillars to essential to effectively executing ZTA: identity, devices, networks, applications, and data.
While this change does improve your security, there is still one missing pillar to achieving a truly comprehensive Zero Trust Framework: workspaces. Ignoring collaboration environments like Microsoft Teams or Groups when building your data protection strategy is a dangerous pitfall to your security. These spaces are hubs of collaboration and information sharing for most organizations yet controlling who has access to what is not always top of mind. Left unchecked, you could end up with overprivileged users, unsecured collaboration spaces, and an exponential increase in risk.
Authorization and authentication go hand-in-hand under Zero Trust, and both must be strictly enforced in your workspaces. You can avoid the perils of an unsecured workspace through right-sizing your Teams controls, utilizing strategies such as delegated administration, sensitivity labels, catalog workspaces, policy enforcement, actionable insights, and guest users and external sharing.
Zero Trust and Your Agency’s M365
This may be starting to feel overwhelming, but it’s important to remember a more robust security model is essential to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. The efforts to implement Zero Trust also have unexpected benefits.
Microsoft’s report found; organizations operating under Zero Trust benefit from increased agility (37%), speed (35%), and protection of customer data (35%).
Fortunately, the experts at AvePoint are here to help you align your collaboration with the government’s Zero Trust mandate. Through our Zero Trust and Your Agency’s M365 Collaboration blog series, we will be introducing several strategies to help implement comprehensive Zero Trust Architecture in your workspaces, and solutions that can help apply Zero Trust principles to your collaboration seamlessly. You can also learn how to meet federal Zero Trust standards with Microsoft Sensitivity Labels in this webinar!
Antoine Snow is a senior solutions manager at AvePoint, leading the Public Sector business unit. He has held various positions in IT over the past several years ranging from front-end web developer to Microsoft 365 Service Owner. In his current role, Antoine focuses on governance and adoption challenges plaguing the modern workplace and helping government organizations understand the components of a governance strategy and its implementation. Antoine's views on these topics can be found in various blog posts and has been the focus of one-to-one workshops.
I sell software, but my passion is to help translate the needs of the business into the capabilities of available technology. Over two decades in tech I have helped customers analyze collaboration solutions against actual mission needs in helping them select the best path based on their personal critical success factors. Per my training I’m a project manager (PMP), an engineer, an architect, and a designer; but ultimately, I’m a problem solver.