Accelerating Government’s Zero Trust Journey

In May, the White House issued an Executive Order aiming to improve the nation’s cybersecurity defenses and requiring US Federal agencies to develop plans to implement Zero Trust architectures in alignment with National Institute of Standards and Technology National Institute of Standards and Technology (NIST) guidance. This Executive Order also calls on agencies to accelerate cloud adoption, with a preference for cloud capabilities that implement or advance the adoption of Zero Trust. 

Zero Trust moves front and center 

The White House guidance is timely and necessary given the surge of ransomware and other cyber attacks over the past year targeting remote workers and VPNs, software supply chains, identity infrastructure and email, and various critical infrastructure sectors. These attacks have raised concerns about cyber-risk across the board, including pervasive IT monocultures that persist, unquestioned, despite their exploitability by attackers. 

This order ties together multiple strands of US cybersecurity best practices and policy that have evolved over the past decade, including stronger identity and access controls, expanded use of encryption and authentication, increased monitoring and visibility, and prioritizing high-value IT assets. Yet the urgent challenge of cybersecurity requires more than simply adding to the existing proliferation of cyber tools or ratcheting up traditional measures around hygiene and compliance. The Administration’s focus on Zero Trust marks a critical shift to prioritizing architectures in which the strategic coordination of layered cyber defenses drives improved cyber outcomes.  

In many ways then, the demand for accelerating the adoption of Zero Trust in federal IT is not a new requirement, as departments and agencies are already implementing many of the core technical components that can contribute to achieving the goals laid out in the executive order.  

What is new, however, is the fact that Zero Trust, when done right, is primarily an outcomes-oriented approach to security. Successfully implementing Zero Trust can drive down cyber risk, transform the daily security experience of users, reduce management complexity and toil for IT managers, and improve the overall productivity of the workforce. 

Outcomes, not just technology 

Successfully implementing Zero Trust is not about the individual technology components and inputs themselves.  Instead, what matters most is how security components are integrated and orchestrated to achieve and enforce a simple set of core principles: 

Connecting from a particular network must not determine which services you can access

Access to services and data is granted based on what we know about you and your device

All access to services must be authenticated, authorized and encrypted.  

Using this set of principles as our north star, Google began our Zero Trust journey, with BeyondCorp, over a decade ago, under similar circumstances to those driving federal cybersecurity policy now. Google had been targeted by nation-state cyber attacks (Operation Aurora), and in the aftermath, we recognized that providing remote access with VPNs was not sustainable or efficient for business performance, especially at a time when Google’s global workforce was growing rapidly. Something had to change.

To improve our security posture and user experience, we had to reimagine our infrastructure and production networks. This ultimately drove innovations in how we protect our supply chains and resulted in a complete rethinking of the scale, analytics and visibility needed to fully modernize and transform enterprise security. The journey forced us to consolidate redundant systems, understand usage patterns better, and transform how people experience security day to day.

A shift in technology and a change in mindset

When we developed BeyondCorp, we had to reimagine our infrastructure and production networks in order to affect a better security posture and user experience. This ultimately drove innovations in how we protect our supply chains and resulted in a complete rethinking of the scale, analytics and visibility needed to fully modernize and transform enterprise security. 

Moving to a Zero Trust approach drastically changed how Google’s end users did business and reduced the toil on both individual users and IT professionals to do their part to secure the enterprise, further fostering  the innovation, architectures, operational integrations and best practices we see today. Now, the layered defenses and invisible security our users experience have been incorporated into Google’s secure cloud offerings, so our customers can experience the same benefits and provide their users with a secure and productive work environment. 

Leadership for a cross-team journey

Of course, change isn’t trivial, especially in government. A shift in behavior, user experience, collaboration, tools and infrastructure requires planning, change management, and executive support.  To make the Zero Trust journey a success, organizations need the long-term focus and vision of leadership to drive meaningful change. For traditional security and technology leaders, accelerating the journey to Zero Trust will require them to think less tactically and and act more strategically, in order to focus more on outcomes and less on inputs, and to integrate, harmonize, orchestrate and automate what were previously standalone IT and security efforts.  For non-technology leaders, their engagement and leadership is essential – and much more likely – given the visible benefits to collaboration, culture, and the business from what could otherwise be seen as a technology-centric initiative.      

Done right, Zero Trust brings a sea change from how most people experience security.  The crossroads of the Zero Trust journey present organizations with two clear choices: stick with an old and not-so-secure security model that’s clunky and burdensome, or adopt a new model that’s more intuitive, easy, and secure.  

Jump start your own journey

Today, the same opportunity exists to transform government security, operations, and organizational models by implementing Zero Trust. By sharing lessons learned from Google’s BeyondCorp journey and building core security capabilities into many of our cloud products, our goal is to help government agencies  accelerate their own Zero Trust journey, transforming the security posture of their highest value and most-critical applications and data.  

To learn more, watch our on-demand sessions from the Google Cloud Government Security Summit,

About the authors

Dan Prieto previously served in the White House as Director for Cybersecurity Policy on the staff of the National Security Council.  He also served as CTO and Director of the Defense Industrial Base Cybersecurity Program in the Office of the Department of Defense CIO.

Max Saltonstall tells stories about Google Cloud, how we use similar Cloudy tools inside Google, and what diverse solutions Cloud’s many customers have created. At Google he’s worked within DoubleClick, Corporate Engineering, Staffing and the Cloud CTO Office.