For UK Government Agencies, Reducing Trust Levels Can Be A Good Thing

In the public sector, just as in fashion, consumer technology, politics, and many other things that affect us and how we live, sometimes it takes a significant event – often more than one – to effect real change.

In the UK, cyber security in the public sector has been a front-page issue for some years now. Just as for other world powers, UK PLC has had to face near-constant attacks aimed at compromising our infrastructure, stealing our secrets, or promoting misinformation. Nation states are often cited as the source of many of these attacks but, in many ways, it doesn’t really matter who is behind them; what’s important is what we have in place to contain such attacks and limit their potential for damage.

Public policy in the UK, just as for other Western nations, often takes a steer from the United States in certain areas, especially as regards technology adoption and standards.  Just as in the UK, the US has suffered from serious cyber attacks for some time now, with real world implications, and this recently culminated into a moment of action. On 12^th May this year, the Biden administration issued a highly anticipated executive order aimed specifically at strengthening the country’s cybersecurity defenses — with strong emphasis on Zero Trust.

According to a White House statement, “This executive order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”

Zero Trust is a model that first came to light in 2010, designed by (industry analyst) Forrester’s John Kindervag. Its central premise is that organisations should not automatically trust anything inside or outside its perimeters. Rather, it should verify anything and everything trying to connect to its systems before granting access. If there was a maxim to describe the basic tenet of Zero Trust, it would be “trust no-one”.

Why has this model gained such prominence in the US this year? The increasing seriousness of attacks are one reason. But another is to do with the accelerated efforts organisations – public or private sector – are putting into adopting digital services. One example of many is the Pentagon’s $10 billion JEDI Contract, which gives Microsoft the right to provide enterprise level platform as a service (PaaS) and Infrastructure as a Service (IaaS) to the Department of Defense.

Similar projects are underway in the UK, from reforming the welfare system to modernising our courts and improving citizen services. These modernisation initiatives are great for efficiency and can offer citizens new services. But, by their very nature – more interconnectedness, more data online – these projects also increase the attack surface.

Effective adoption of Zero Trust principles would mean the UK public sector taking steps to de-risk this accelerated adoption of digital services, giving the ability to contain the thousands of breaches suffered by government agencies in 2019 and 2020.

Specifically, Zero Trust gives us a way to limit the damage of a data breach through continuous validation of each request for access, monitoring the users’ activity, segmenting critical tasks across privileged users, and enforcing session termination when a privileged user attempts uncommon and risky tasks.

Privileged access is a critical aspect to secure. If we think about the two access pathways into an organization, there are standard users who generally have low-level access to the systems they need to do their jobs – usually limited to the application layer. Then there’s the privileged user who often has unfettered access to the application layer, sensitive data, and the mission critical Tier 0 assets.

Non-human accounts and bots play a huge part on modernized infrastructure as well. Zero Trust allows for this, extending the requirement of trust and verification of human users to non-human users as well. This includes applications interacting with operating systems via service accounts and business (and robotic) automation processes where software bots are connecting, storing, and accessing sensitive data and applications.

Privileged Access Management (PAM) solutions support applying Zero Trust principles to human and non-human privileged users, mitigating credential theft by isolating and vaulting passwords from users and systems, and aligning with Zero Trust strategies by integrating with multi-factor authentication solutions for continuous validation. The NCSC has valuable strategic content for government agencies looking to bolster their defences by adopting and architecting Zero Trust principles, and here also is a simple five-step alignment plan.

How to Align to Zero Trust

1. Implement a risk-based approach to security
2. Implement continuous multi-step authentication and security to Tier 0 assets
3. Secure core privileges on endpoints and endpoint devices
4. Secure and monitor the privileged pathway
5. Implement attribute-based granular access controls

Learn more: https://www.cyberark.com/solutions/zero-trust/

Katherine Holden

Associate Director, Data Analytics, AI and Digital ID, techUK

Katherine joined techUK in May 2018 and currently leads the Data Analytics, AI and Digital ID programme. 

Prior to techUK, Katherine worked as a Policy Advisor at the Government Digital Service (GDS) supporting the digital transformation of UK Government.

Whilst working at the Association of Medical Research Charities (AMRC) Katherine led AMRC’s policy work on patient data, consent and opt-out.    

Katherine has a BSc degree in Biology from the University of Nottingham.

Email:

[email protected]

Phone:

020 7331 2019

Read lessmore