Zero Trust in the Public Sector

Lisa Carroll

Thanks to the recent pandemic, our dependence on everything digital has grown exponentially, triggering global digital transformation that will only continue to evolve as we continue to innovate.

When the pandemic forced almost all public sector employees to move to remote work, literally overnight, migration to the cloud became even more critical to day-to day operations. The undisputed benefits for public sector organizations like scalability, speed, flexibility, and cost saving helped them to meet the urgent need for digital citizen services and support a hybrid work model for a workforce that traditionally worked “in office.”

The cloud is vital to building a resilient and robust public sector operation that meet the constantly evolving needs of an increasingly more digital population. But we can’t build modern digital infrastructure without a secure foundation.

With significantly more endpoints to monitor, more systems to manage, more protocols to implement and more people accessing systems from remote locations come more cybersecurity challenges.

Protecting government and citizen data requires a proactive approach to cybersecurity that uses modern tools like AI and machine learning to adapt to the complexity of the digital environment, embraces the hybrid workplace and protects people, devices, apps and data wherever they’re located. It is also important that public sector organizations deploy a  Zero Trust cybersecurity model in order to secure these new endpoints that are necessary for serving citizens who increasingly expect 24/7 access.

Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized and encrypted before granting access. With this model, every user, device, service that is given access is considered a risk, even if it is a known and approved device or user.

Zero Trust is built on three core principles:

• Verify explicitly – Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification and anomalies.
• Use least privileged access – Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
• Assume breach – Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

The Zero Trust model will play an even more important role in the future of work as hybrid work continues to evolve, requiring more devices and flexibility. As such, a Zero Trust strategy will be top of mind for government organizations because its principles maintain security amid the IT, regulatory and compliance complexities that come with hybrid work in the public sector.

As we look at future proofing our public sector post-pandemic, adopting the Zero Trust will support a growing digital economy where citizens can thrive.

At Microsoft, we understand that the public sector must often navigate additional layers of complexity to drive innovation, especially when it comes to security, compliance and implementation.

Our goal is to empower government organizations at all levels with the tools to work through the initial challenges that come with deploying new technology to help sustain Canada’s momentum as we continue to recover from the pandemic.

For more information about how Microsoft partners with the public sector, visit Microsoft in public sector