Identity as the new perimeter: How one county launched its zero trust initiative
The third step is to establish a common zero trust reference architecture with identity, devices, networks, applications and workloads as well as data in mind.
In fact, “most states and most municipalities have elements of zero trust already in place,” said Brandon Pugh, senior fellow and policy counsel for cybersecurity and emerging threats at the R Street Institute, a public policy research organization. “They may not realize that, or they may not have it as part of a broader framework, but they have elements. So, for instance, multifactor authentication. That’s often seen as one element of zero trust. A fair amount of jurisdictions have that already.”
But lacking the clear guidance federal agencies have via the Defense Department, Cybersecurity and Infrastructure Security Agency, and National Institute of Standards and Technology, many state and local agencies struggle with what exactly zero trust means, he added. “I think that’s where there’s a burden on the federal government as well as the state government to try to make this as simple as possible and give recommended steps,” Pugh said. “It’s important to remember that zero trust is not a product, and there’s not one rigid framework that you have to follow. It should vary based on the entity.”