How Zero Trust Architecture Protects Government Data and Networks

Bill Wyatt, CIO and CISO at the State of Georgia, Office of the State Treasurer explains how strong security standards and a move toward password-less systems reduce risk.

By Brian Carlson

By Brian Carlson April 14, 2020

Cyber-attacks have grown significantly in volume and sophistication over the past few years. This rise in attacks is producing increased risk and cost for organizations of all sizes. According to the Cybercrime Report from Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021.

The responses to the rise in cyber-attacks are modern security concepts that CIOs and CISOs are increasingly implementing to secure their networks, and ultimately, their data. Zero Trust Security, or Zero Trust Architecture (ZTA), is one such concept being explored by government IT leaders like Bill Wyatt, CIO and CISO at the State of Georgia, Office of the State Treasurer.

According to Wyatt, ZTA is based on the idea that companies should not trust anything from outside or inside the network and every device needs to be verified before giving access to the system. This is counter to the traditional castle-and-moat security strategy in which information security is focused on protecting the perimeters of the network, while assuming traffic on the inside was already safe and secure.

“Zero Trust Architecture for me starts with strong user identity controls and securing the data,” said Wyatt.

“We focus on that layer first. After that, we still have your traditional security controls, like firewalls and containers. Layered security is still important and has a place in the overall architecture design especially when data and services still coincide on premise.”

Traditional security models alone are no longer effective, warns Wyatt. When cyber attackers get past corporate firewalls, like in the Target breach, they have capabilities to slowly and quietly move within the environment undetected.

The great risk reduction to this issue, said Wyatt, is to secure the data itself, so that no matter where the data travels and who has it, it can be locked down and protected.

Laying the Right Foundation for a Secure Environment

Before Wyatt was able to secure his networks and data, he needed to lay the foundation for a single secure environment. Given his overall 28 year background in technology, a Bachelor in MIS, Masters in IT and Cyber Security, combination of 16 years in IT Audit, Financial Audit, State Audit computer investigations, and audit IT infrastructure management, along with certifications in CISSP, CISA, MCSE, CCNA, CCSA, CEH, CHFI, and Azure foundations, Bill had the appropriate expertise to know what he needed to accomplish in his new role.

“When I first came to where I am working now, there was plenty of opportunity for improvement which is not unusual when working with state government entities, especially during challenging economic times when entities may have limited funding through State appropriations,” he said. “Initially, I had to take a shotgun approach and implement controls and bandaids to bridge immediate gaps. I've been working, and building a rock solid IT team, since day one, to whittle that away and simplify, consolidate, innovate, and keep cutting edge as much as reasonable. At the same time, I’m hoping to save costs while improving services, availability and security.”

Prior to being able to set up and manage the security framework needed to secure data across federal and state, Wyatt had to move to a cloud-based infrastructure to give him the flexibility, cost savings, agility, security and services he needed to execute a comprehensive ZTA security plan.

“While locally I had strong support to move to a cloud-based infrastructure, there was no shortage of  red tape outside, especially at the state level,” he said.

“It took me two to three years to get through most of the red tape. Once I was able to quantify the risk regarding $28 billion in assets, and provide clear and concise information regarding risk, we finally got buy-in at the state level that was needed. Providing that clear picture of risk to state leadership was critical in removing that red tape. We simply could not put the complete set of security controls in place with the way it was architected. Since then, from an on-prem hybrid infrastructure perspective, we have settled on Nutanix, at the core.”

Wyatt has relied on Nutanix software since 2015 and is moving to HPE hardware running the Nutanix. In addition to cost-savings from moving off of VMWare, Wyatt moved all support under Nutanix in order to have a single point of contact for all issues. 

“Now we don’t have to go all over the place to other vendors to get the support we need,” Wyatt said. “They are going to handle all the tiers in one place under the Nutanix hypervisor.”

[Related story: Hybrid Cloud and IT-as-a-Service, Forces Behind the HPE and Nutanix Partnership]

Once he set up a cloud-based infrastructure, Wyatt could now focus his attention in securing all the data across his network, and leveraged the ZTA concept to get there.

Strong User Identity, Device Validation are Core to ZTA

“Zero-Trust Architecture (ZTA) for me has a few major components,” explained Wyatt. “First and foremost is the user identity. Our goal was to harden that identity and have confidence in it. If controls and mechanisms around identity management aren’t strong, it puts at risk everything else.”

In addition to focusing on user identities as the first layer of ZTA, Wyatt wanted to ensure devices that are connected to the network are validated and only approved to access data on a need-to-know basis.

“We are looking at the devices that are connected to the network, as well as the health of such devices to ensure they are validated before connecting,” he said.

“We need to validate those machines before they are onboarded and connected to the environment.  We use conditional access and MFA (Multi-Factor Authentication) as part of that in our environment. All the data that is architected in our environment has been designed around a need to know.”

In the end, it is all about protecting all forms of data. If ZTA is applied at the data/file level, protecting the frontier of the network becomes less crucial and concerning.

“While those are the major components of ZTA, it is all about the data,” Wyatt said. “The data should know who is supposed to be accessing it. The ability to control that data throughout its lifecycle is what I care about.”

“If an employee has moved to another job, they cannot authenticate and open protected data that may have found a way out of the environment via thumb drives or other personal cloud services,” Wyatt explained.

“We need the capability to prevent unauthorized access to all that data when employees leave, no matter when or where they put it,” he said. “The information protection is tied to the files themselves. Not to the structure of the environment, or the folders.”

For Wyatt, ZTA is a core strategy to strengthening the network by focusing down to file level security. He embraces ZTA and is hoping to finish evolving in the coming months totally away from one of his remaining risk reductions, passwords. Hardware FIDO 2.0 token based solutions provide a great improvement to Identity management. MFA and other controls are in place today and do a great job at identity management risk reduction. These controls are very important and timely to emerging programs such as the office's new Remote Work from Anywhere program.

“We don’t have VPN at all,” he said. “There is no outside access whatsoever into our local network. No wireless access into our environment. We do have wireless, but it is a completely separate environment. We are testing passwordless right now, we are close to being fully password-less. That is something we are really focused on, which is eliminating risk and threats from password use.”

RELATED

How Honey Pots and Maturity Models Keep Government IT Systems Secure

Brian Carlson is a contributing writer. He is Founder of RoC Consulting and was Editor-in-Chief of CIO.com and EE Times. Follow him on Twitter @bcarlsonDM.

© 2020 Nutanix, Inc. All rights reserved. For additional legal information, please go here.

Related Articles

There were no results