Building the Zero Trust Plane While Flying It
The author, Forrester Analyst Chase Cunningham, of this article Get Your Federal Team In Sync With Zero Trust is correct. The government has lead the way on previous cybersecurity trends. In contrast, the industry is leading the way on zero trust and the government has to figure out how to fly the plane while building it. Typically, not an easy proposition.
The image associated with this article depicts just how the once forward-leaning government has become a bit of a laggard in its race toward modernization and the cloud. The pictured technology is all but gone in the commercial world, but remains predominant in some federal agencies. It's acting as an anchor in the move towards IT modernization.
Employees and contractors can still be seen toting lanyards and keychains full of old authenticators. Meanwhile, it's known that these "approved" legacy solutions are costly, don't support the cloud and never will. Yet, with IT modernization, and other government megatrends, the government is supposed to be moving quickly to the cloud with solutions that enable it while increasing security and the user experience?
Duo does just that. In fact, after hearing about the requirements of what constitutes IT modernization - we read like a case study. We check all the boxes. Improve security, reduce costs, improve user experience, etc. In fact, we have developed a fed-specific "IT modernization calculator" that will calculate the cost reductions associated with replacing legacy solutions with Duo. But I digress, as sales people are prone to do. :)
Meanwhile, in other agencies, there are "gaps" where PIV is not viable, for whatever reason. Consequently, modern MFA solutions like Duo can replace legacy solutions and fill gaps while building the bridge to zero trust. Fly and build.
While there are admittedly several factors to the transition to zero trust, one of the first should be starting with a form of MFA that can bridge agencies from the current operating environment (of PIV) to one that is equally as strong (FIPS 140-2 Level 3), while also providing a framework for future state of identity and access. Too many decipher this as a rip and replace proposition. That's not the case, at all.
Anyway, the author is also correct, the marketing hype around zero trust is peaking and it's hard to distinguish who does what and how to get there. Where do you start? At the beginning of course, with a form of modern MFA that gets you to the cloud and IT modernization. Hence, we are looking to further distinguish our message from much of the white noise. Subsequently, in the coming weeks, we will be starting a "Zero Trust for Government" LinkedIn group with some of the industry and former government thinkers that can hopefully help government customers on this journey.