At U.S. Federal Agencies, the Time is Right for Zero Trust

The ever-growing challenge to protect critical data, especially in an era of mobile and cloud-based work environments, has driven an increasing number of federal agencies toward a Zero Trust security model that better addresses their needs in this digitally robust world.

According to a recent survey, nearly half of federal government IT executives reported that their agencies are shifting toward identity-centered, or Zero Trust, security strategies to protect their digital resources. The study, produced by FedScoop and underwritten by Duo Security, found that federal agencies are moving away from traditional network perimeter defense tactics and becoming more open to a perimeter-less data environment that uses identity and authentication tools as the primary means of access.

Nothing is more telling about the accelerated momentum of Zero Trust and its subsequent adoption than the recent Cybersecurity Executive Order highlighting the criticality of it, especially with the White House recently publishing a final version of its Zero Trust architecture strategy—intending to greatly improve the cybersecurity of government agency systems in the next couple of years. This shift has coincided with a dramatic increase in multi-cloud environments and remote workers, two components of a modern work environment that the Zero Trust model addresses very well.

The accelerated use of the Zero Trust model, both at federal agencies and the business world at large, coincides with the growing realization that traditional methods to secure a network’s perimeter are no longer sufficient. Because there is no longer a trusted network inside a defined perimeter, the “Trust, but Verify” approach has become obsolete. Instead, federal security teams will need to adhere to three more effective principles:

• Never trust—except when users and endpoints actually earn that trust.
  
  
• Always verify—a guideline that applies to context, application, location behavior analysis and other components that are necessary to derive a risk-based approach appropriate to the endpoint activity.
  
  
• Continuously monitor—with the understanding that it’s not sufficient to authenticate just one time and assume that risk will be low from that point forward. Only continuous authentication will ensure ongoing security.

F5 recently has been named as one of 18 vendors to collaborate with NIST’s NCCoE on the Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and building Zero Trust Architectures. Our deep expertise in working with the top federal organizations on the front lines of Zero Trust adoption helps to addresses these important issues. F5’s extensive application security portfolio encompasses four key control points within a Zero Trust architecture, as described below:

Endpoints: Trusted App Access

F5 Labs reported that access-related breaches in 2020 represented the largest proportion of known breach causes at 34%. A trusted application access solution is vital in an era when access-related breaches are on the rise.

F5 BIG-IP Access Policy Manager (APM) provides modern authentication for all apps, simplifying and centralizing access to apps, APIs, and data regardless of where users and their apps are located. Whether the app is located on-premise or in the cloud, the result is a greater user experience with SSO and a common user experience in a more secure environment using Zero Trust architecture.

With Identity Aware Proxy (IAP), APM deploys a Zero Trust model validation that secures every app access request. At federal agencies, the process for authenticating privileged users starts with APM displaying a U.S. Government warning banner to the user, which requires acceptance before moving forward with authentication. APM also requests strong credentials from the user using a number of different options, such as checking them against a Certificate Revocation List or Online Certificate Status Protocol server to ensure credentials have not been revoked.

Once the privileged user is permitted access to the system, APM will query additional attributes to determine which resources the user may access. There are also several advanced features to ensure the integrity of the client, such as verifying the client is using Government Furnished Equipment (GFE), is complying with The Host Based Security System (HBSS), and/or is running a supported operating system.

Network Infrastructure: Application Security

Network infrastructure is needed to ensure that the apps are secure and available to achieve Zero Trust. F5 Labs research reveals that nearly 90% of page loads are encrypted with SSL/TLS, meaning that encryption has become the norm these days. Nonetheless, encrypted threats persist. In fact, it is common for attackers to use encryption to hide malicious payloads and bypass security controls.

Consider an SSL visibility solution to eliminate threats by providing robust decryption/encryption of inbound and outbound SSL/TLS traffic with centralized encryption control. This solution should provide policy-based orchestration to eliminate blind spots and provide policy-based orchestration that enables cost-effective visibility across the full security chain for any network topology, device, or application.

Applications: Application Layer Security for Agency Protection

Our F5 Labs research reveals that organizations, on average, deploy 765 apps. With cyber-attackers having so many potential targets, agencies will need to stay vigilant in protecting these apps as part of their Zero Trust strategy.

Your application-layer security solutions—whether the apps are in the cloud, on-premises, SaaS-based, or fully managed—should provide security at or near the application and protect the application stack in a Zero Trust architecture.

Your federal WAF solutions should also protect against Layer 7 DoS attacks with behavioral analytics that continuously monitor the health of the apps. Other capabilities should include credential protection to prevent unauthorized access to user accounts and safeguarding apps against API attacks.

Identity Service: Partnerships

Consider deploying a solution from a provider with established deep partnerships with organizations like Microsoft, Okta, and Ping. By integrating trusted app access solutions with these Identity-as-a-Service (IDaaS) providers, you bridge the identity gap between cloud-based, SaaS, and mission-critical and custom applications to offer a unified, secure access experience for users.

Federal agencies likewise need to develop strong partnerships to ensure a successful Zero Trust deployment. We invite you to reach out to us for the expertise and solutions you need. Our goal is to help you move to Zero Trust as seamlessly as possible so you can start reaping the benefits for the betterment of your agency.

Bill Church
Chief Technology Officer – F5 US Federal Solutions

(A previous version of this content was published in late 2020. Updated early 2022.)