Zero Trust Adoption in Government: Challenges and StrategiesManuel Acosta of Gartner on Strategically Applying the 7 Pillars of Zero Trust
As the concept of zero trust gains traction, government agencies are recognizing that the seven pillars of zero trust, as outlined by U.S. federal agencies such as CISA and the Department of Defense, should be strategically applied across various elements, including data, network security and identity management, said Manuel Acosta, senior director and security analyst at Gartner.
But zero trust adoption is not without its hurdles. Many organizations will have to adopt new multifactor authentication and identity management tools since both are crucial components of the zero trust strategy, Acosta said.
As the zero trust journey progresses, organizations should then focus on data security, including technologies that identify, classify and tag data. This is pivotal as organizations are increasingly aware that comprehensive security entails addressing gaps in identity management and data handling. Moreover, the challenge of applying zero trust principles to air-gapped systems underscores the need for risk assessment and mitigation tailored to specific technology limitations.
"There's a lot of recognition that zero trust is easier said than done. It's a journey that encompasses a number of technologies, not just what the federal government knows as pillars - whether CISA has published or DOD, the seven pillars are there," he said. "Organizations now within the government spaces have recognized that those pillars are best to be used from a strategic perspective."
In this video interview with Information Security Media Group at Black Hat USA 2023, Acosta also discussed:
- The convergence of cloud and application security;
- Technologies federal agencies are adopting to continue on their zero trust journey;
- The integration of zero trust principles into air-gapped systems.
Acosta has extensive experience leading organizations to build their information security programs. His expertise lies in developing, assessing and managing information security program components to include strategic planning, governance program development, policy development and management, and risk management program implementation.