Connecting state and local government leaders
Because there are no comprehensive solutions available, governments need multiple efforts to happen at once, a county cyber exec advised.
Governments looking to create a zero-trust environment must think beyond technology as no vendors offer a comprehensive solution, a local cybersecurity leader said.
Lester Godsey, the chief information security officer for Maricopa County, Arizona, said during a webinar hosted by Nextgov and Route Fifty that those looking to transition to zero trust must conduct due diligence on which individuals and machines need access to certain systems and services. He said research is key to assessing all the different moving parts required to implement a zero-trust framework, and agencies cannot rely on vendors to recommend technology solutions.
“It’s not a silver bullet,” Godsey said of mission-critical zero trust technology.
The growth of remote work brought on by the COVID-19 pandemic complicated efforts to identify threats and establish which government staff need access to certain systems and services. People working in all different settings, often on networks that have less stringent security requirements, also must be taken into account, Godsey said.
“If you think about how we all operate … people are accessing resources from all over the place,” he said. “Whether it's from home, whether it's from your coffee shop, or your internal network, those are all different components that need to be addressed in order to implement an effective zero trust model. And so a lot of the heavy lift is, frankly, workflow and business process analysis.”
Maricopa County has been implementing its zero trust strategy for some time now, with identity and access management key components of that effort. As well as managing identities for its employees, Godsey said the county is now in the process of incorporating its residents and business users into its identity management efforts, not only to make it easier for them to access county services, but safer too.
“This concept of zero trust definitely applies to that, to being able to create a more effective user-friendly engagement with your constituents but doing so in a secure fashion and ensuring that the data that they're sharing and that they're consuming is done in a secure manner,” he said.
Maricopa County has been in the news after its 2020 presidential election results were the subject of denialism, controversial audits and misinformation. With the midterm elections fast approaching, Godsey said he and other county officials have seen social media posts encouraging people – including those who question the integrity of elections -- to sign up for voluntary and temporary staff positions with the county Recorder’s Office.
Those applications must be thoroughly vetted, and Godsey said it also “heightens the level of risks that we are seeing” as nefarious actors could try to infiltrate the county’s election administration efforts.
Zero trust efforts got a boost last year with an executive order and a memo in January from the Office of Management and Budget that set a zero trust architecture strategy for federal executive agencies and prompted some state and local governments to prime their own zero trust strategies. Godsey said while zero trust is “catchy” and the “current buzzword” in cybersecurity, it is a solid concept that needs attention from leaders at all levels, even if it is not mandatory.
“At the end of the day, local government and government in general is probably one of the biggest targets from a sector perspective when it comes to cybersecurity and nefarious activities,” he said. “In order to put ourselves in the best position possible to respond to and defend against cyberattacks, adopting a zero trust model is the legitimate way to go.”
While government efforts to reach zero trust will take time, Godsey said that leaders should think of it as an ongoing effort rather than as something to be achieved and then not thought of again.
“It's not something where all of a sudden, once you hit it, you know that you've reached the end,” he said. “It's a very iterative process. I would encourage organizations who adopt the approach to be patient and find incremental improvements on their way, because zero trust is a journey, not a destination.”