Implementing Zero Trust Security in the Public Sector

Modernizing security to zero trust requires a deliberate strategy and initial actions around five key pillars.

Access your zero trust toolkit now

Public sector technology leaders: Use this toolkit to accelerate your move toward a modern zero trust security approach.

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Contact Information

All fields are required.

Company/Organization Information

All fields are required.

Optional

Demystifying zero trust is the first step to modernizing network security

Public sector IT leaders are under increasing pressure to evolve security networks to the zero trust approach (“never trust; always verify”), and are bombarded with zero trust hype, especially from vendors.

Use this toolkit to access:

  1. A zero-trust playbook that helps you:

    • Adopt best practices
    • Set a strategic timeline
    • Fast-start actions
    • Assess your readiness
  2. A range of other resources to build your broader cybersecurity strategy

Commercial enterprises may prefer: 7 Effective Steps for Implementing Zero Trust Network Access

Mapping the public sector journey to zero trust security

Public sector IT leaders face unique challenges in implementing zero trust security, but focusing on why, what, where and how helps focus your priorities.

Zero trust is fast becoming best practice for cybersecurity

Zero trust, first coined by academia in the 1990s, is increasingly viewed as a mainstay of modern security strategies, taking over from traditional “castle-and-moat" network security models in which no one outside the network can access data on the inside, but everyone inside the network can.

Commercial enterprises across the globe are fast moving toward zero trust, but public sector agencies are also being pushed to adopt zero trust cybersecurity principles and adjust their network architectures in a bid to  improve national cybersecurity.

For example, the U.S. Cybersecurity & Infrastructure Security Agency’s  Zero Trust Maturity Model advocates zero trust for benefits such as:

  • Productivity

  • Enhanced end-user experiences

  • Reduced IT costs

  • Flexible access

  • Bolstered security

But it also acknowledges the challenges, including the following:

  • Existing infrastructures built on implicit trust will require investment to update systems.
  • Modern cybersecurity practices require agencywide buy-in for common architecture and governance policies.
  • Some federal agencies are better positioned than others to make these advancements. 
  • New solutions and ideas about how to best achieve zero trust objectives.

Understanding zero trust vs. legacy security principles

Transitioning to zero trust ultimately requires an evolution in your approach to identity management, devices, applications, data, network and other components of the security ecosystem. Step 1 is a mindset shift in the key principles of security.

Comparing Legacy Security and Zero Trust Principles

Legacy/“Castle-and-Moat”

Zero Trust

Trust is assumed.

Authorization is explicit.

Defense focuses on network perimeter.


Defense focuses on data and some defined perimeters.

Security posture is architected from the outside-in.

Architecture is designed from the inside-out.

Access decisions are static-binary.


Access decisions are real-time, multifactorial, contextual, session-based, attribute-based, risk-based.

Default is to protect “everything.”

Focus is on protecting critical data, assets, applications and services (DAAS).

Data is important, but (mostly) secondary to network perimeter and device patching.

Data is a primary cornerstone (chief data [& analytics] officer a critical stakeholder).

Identity and access management (IAM) is functional but basic.

Zero trust uses advanced IAM, including privileged access management.

Legacy/castle-and-moat tends to be manual and reactive.

Zero trust emphasizes automation and proactivity.

Implementing zero trust strategy requires action in 5 key areas

Gartner research shows that over 60% of organizations will embrace zero trust as a starting place for security by 2025. More than half will fail to realize the benefits. 

Ensuring success starts with developing a clear action plan and a set of formal principles to address five key elements of the security ecosystem:

  1. Users. Perhaps the most important function that a zero trust architecture must perform is ensuring the proper level of authentication of a user or entity who is requesting access. Different requests will frequently require a different level of access and corresponding checks to access different levels of functionality.

    Applications also have different levels of sensitivity. The asserted identity should provide a level of assurance that is commensurate with the sensitivity of the application to which access is being requested.

  2. Devices. The more information that is known about the device being used for access, the better you can manage risk. Is it a managed device? Has it been observed accessing applications previously? Is the current user typical for this device? Is the device jailbroken? Does it meet basic hygiene requirements? 

    The answers to these questions are fed into the policy engine to make a decision about access. Nonmanaged devices may be permitted by policy to access some applications but prevented from accessing other applications.

  3. Applications and workloads. Zero trust architecture must securely connect users to applications. By definition, you must know which applications users are trying to access.

    Key questions to ask: How many applications exist in your organization? Do you have an application catalog? If you do not, Gartner recommends building one that contains information such as the application’s owner and business owners, its data sensitivity, criticality and network protocol.

  1. Data. Zero trust is not a replacement for a data governance program. Gartner argues that data characteristics need to be input into determining user entitlements. Tagging and classifying data will allow for the protection of sensitive data through granular access control policies (i.e., “know your data”).

  2. Network/environment. Segmentation is key to an effective zero trust architecture. Macrosegmentation is commonly enforced with network firewalls and their cloud virtual networking equivalents (VNets and VPCs).

  3. Implement microsegmentation within data centers and as appropriate across the enterprise (where the business value of protecting an application should be greater than the administrative cost of management).

Among the U.S. public sector (federal, state, and local governments) departments and agencies, most should focus on these five, though some will probably require fewer tasks on a smaller number of pillars on a shorter timeline, while others expand to more tasks across more pillars across a longer timeline.

The U.S. Department of Defense, for instance, will likely need to address two additional pillars in more detail: 

  • Automation and orchestration

  • Visibility and analytics

Formalize a roadmap for scaling zero trust

Replacing the implicit and static trust models of legacy security architectures with dynamic and explicit trust models obviously takes time. 

Zero trust implementations are complex, multiphase programs that require organizational change management, and operations and executive buy-in. 

Some benefits of zero trust may be realized along the way, but scaling zero trust to a large, complex organization is a long-term strategy that requires a clear and deliberate roadmap, like the one illustrated here.

9 initiatives for a quick start to your zero trust policies and strategy

To quick-start or jump-start implementation of zero trust principles in your public sector department or agency, focus first on these nine actions.

  1. Make sure your zero trust policies are in place (see “5 Zero Trust Pillars”). They serve as guiding principles for tasks/activities, milestones and suspenses.

  2. Complete a comprehensive gap analysis. Assess your current state and the tasks/activities required to transition your organization to your target zero trust state.

  3. Assess your zero trust architecture design. Address shortfalls surfaced in the gap analysis (in products, services, configuration, architecture, policy, etc.).

  4. Define the surfaces zero trust will protect and the related access policies. Clearly communicate what you are protecting and why, the criteria/policy for full versus partial access, etc.

  5. Create your zero trust strategic plan. Prioritize the initiatives in your multiyear action plan.

  1. Develop your roadmap. Prioritize and sequence zero trust activities for the current execution year, and set objectives and key results for ensuing 90-day sprints/increments.

  2. Identify and engage with your internal stakeholders. Key participants in any zero trust journey include the CTO, CISO, CDAO, security operations center and IT workforce.

  3. Identity and engage external stakeholders affected by the modernization to zero trust. Manage their expectations and strengthen your strategic communications with them.

  4. Train and upskill your IT workforce on zero trust principles, design and policies.

Existing Gartner clients can access these zero trust resources in full

Current Gartner clients: Access these zero trust resources in full (depending on your subscriptions) by logging in. Not already a client? Speak to a representative now.

Video: Why Zero Trust Can Help, and How to Get Started

This quick video offers a simple talk track you can use to explain the zero trust architecture journey to both technical and nontechnical stakeholders.

2023 Strategic Roadmap for Zero Trust Security Program Implementation

Zero trust security architectures replace the implicit and static trust models of legacy security architectures with dynamic and explicit trust models. Security and risk management leaders must establish a clear roadmap for a zero trust program to optimize their organization’s risk posture.

How to Build a Zero Trust Architecture

This document instructs security and risk management technical professionals how to build and deploy a zero trust architecture. It disambiguates this popular term and provides practical architectural insights.

Infographic: 4 Essential Stages on the Journey to Zero Trust

Zero trust architecture is deployed to provide secure access to applications. The industry has complicated this process and even complicated what zero trust entails. This infographic helps CISOs to visualize the basic stages required for a zero trust architecture.

Market Guide for Zero Trust Network Access

Zero trust network access (ZTNA) solutions are rapidly replacing remote access VPNs for application access. This Market Guide, which includes a list of representative vendors and their products, will help security and risk management leaders evaluate ZTNA offerings as part of a security service edge (SSE) strategy.

7 Effective Steps for Implementing Zero Trust Network Access

ZTNA is now typically deployed to replace remote-access VPN, but overly complex policies are inhibiting adoption. Security and risk management leaders must adopt a continuous life cycle approach to remote-access management in order to achieve success.

Quick Answer: Explaining Zero Trust Security Approaches to Tech Executives

Successful zero trust initiatives require executive support and funding to be fully effective. Security and risk management leaders must educate technology executives from other departments to allow them to fully embrace the real benefits and challenges of zero trust security.

Quick Answer: What Are Practical Projects for Implementing Zero Trust?

Zero trust is confusing when used without context, and the term is often abused in vendor marketing to imply improved security. Security and risk management leaders pursuing a zero trust strategy must focus on key projects to demonstrate value quickly by targeting their highest risks.

Zero trust security frequently asked questions

Zero trust is a holistic cybersecurity posture (or paradigm) in which the foundational tenet is that users are not implicitly trusted just because they are inside the network.

Instead, trust is explicit and granted adaptively, based on user, device, resource and data attributes and behavioral analytics.

Zero trust also focuses on data protection and restricts unauthorized lateral movement to guard against unauthorized data exfiltration.

People tend to define zero trust differently for three main reasons:

  1. Federal guidance can vary by agency.

  2. Policies and guidance evolve over time — with subsequent versions refining and expanding on earlier versions rather than contradicting them.

  3. Vendors may define zero trust principles to align with specifics of how their product portfolios can serve the segment, rather than providing comprehensive definitions.

A zero trust architecture is one that implements the principles/tenants of zero trust, including:

  • Trust is never granted implicitly.

  • Baseline posture is to deny by default. Then access is granted using the “least privilege” model.

  • Focus is on protecting data and resources and restricting unauthorized lateral movement — requiring microperimeters around data/resources.

  • Access-control decisions are granular and tailored, and incorporate multiple factors assessed in real-time (beyond just identity).

ZTNA provides controlled identity- and context-aware access to resources — shifting away from monolithic enterprise perimeters designed to protect everything all at once to microperimeters around individual resources and associated (collections of) data. 

In shifting the focus from “attack surfaces” to “protect surfaces,” ZTNA tailors “fit for purpose” access control policies around the mission criticality of the resources and the sensitivity of the data.

Zero trust is a cybersecurity architectural philosophy, not an appliance, product or license. The foundation for a zero trust architecture often consists of capabilities and services you already have. 

As the vendor marketplace for zero trust matures, products will evolve with strategic partnerships and product convergence and integration. 

For now, take a multivendor “best-of-breed” approach — with the architect and operator having to integrate those capabilities.

Drive stronger performance on your mission-critical priorities.