Access Control Plays Key Role
in NSA’s New Zero Trust Guidelines

By Michael Oldham

Last month, the National Security Agency released guidelines for government agencies looking to embrace a Zero Trust security model for their critical networks. Here is the critical role the NSA says Access Control can play in its latest guidance for Zero Trust:

“With the pervasive need for Zero Trust concepts to be applied throughout the environment, scalability of the capabilities is essential. Access control decisions that may have only occurred once for each access previously will now be performed continuously as access to the resource is used, requiring a robust infrastructure for making, enforcing, and then logging these access decisions.”

The NSA guidelines state that to address today’s dynamic threats, government agencies should:

  • Implement coordinated and aggressive system monitoring, system management, and defensive operations capabilities.
  • Assume all requests for critical resources and all network traffic may be malicious.
  • Assume all devices and infrastructure may be compromised.
  • Accept that all access approvals to critical resources incur risk.
  • Be prepared to perform rapid damage assessment, control, and recovery operations.
  • Embrace Zero Trust guiding principles.

In fact, the  operational capabilities the NSA recommends aligns well with what we already offer through Total Access Control (TAC), our Zero Trust Access solution. For instance, TAC:

  • Treats every user, device, application/workload, and data flow as untrusted.
  • Authenticates and explicitly authorizes each user to the least privilege required using dynamic security policies that are applied across all environments (LAN, WAN, endpoint, perimeter, mobile, etc.).
  • Offers strong multi-factor authentication to make use of stolen credentials more difficult.
  • Provides protection even if adversaries already have a presence within the infrastructure.
  • Denies access by default and heavily scrutinizes all users, devices, data flows, and requests for access.
  • Logs, inspects, and continuously monitors all configuration changes, resource accesses, and network traffic for suspicious activity.
  • Provides full visibility of all access activity in one central location. Comprehensive reporting shows you – in one place – who got access to which resources across the entire enterprise, local and cloud.
  • Explicitly verifies access to all resources in a consistent and secure manner using multiple dynamic and static attributes that determine the user’s Context of Access to make well-informed decisions as to who gets access, where, and to what resources.

In its guidelines, the NSA describes two related, but distinctly different, ways in which government agencies can achieve Zero Trust – data-centric and access-focused. Let’s examine both in depth.

The Data Dilemma

Resource-strapped government agencies – like your counterparts in the civilian sector – will find it challenging to implement a data-centric approach. The focus here is on locking down the data itself, rather than worrying about your applications or access control. After all, if you protect your data, you’re protecting the most valuable assets of your organization.

On the surface, that sounds like a good approach, but it can take your organization a long time to catalogue everything within its infrastructure – something you must do first to fully understand where all your data resides, local and cloud.

Then it gets more dicey: You must implement a data-centric Zero Trust strategy on the move. It’s like changing tires on a semi zooming down the highway at 70 miles per hour. This chaotic process can take your agency years to implement. While you are focused on getting a grip to steer all that data to safer ground, you remain vulnerable.

Why? Because many data-centric Zero Trust solutions lose focus on controlling access — which is exactly how hackers get into your infrastructure. Some data-centric Zero Trust vendors even say it doesn’t matter if a hacker gets inside, because all the data is locked down. But that’s not completely accurate.

If you’re not controlling access, you risk everything. Even if all your data is protected (which is very hard to accomplish in practice), hackers inside your infrastructure can still cause significant damage without directly accessing your data.

The biggest challenge is that protecting all that data requires a whole new layer of infrastructure that you must implement for both local and cloud environments – and it’s quite a heavy lift for your resource-strapped team just to catalogue the data resources alone. Put it all together, and it becomes a monster rollout that few agencies today have the resources to accomplish effectively.

If all you focus on is the data, you also leave several vulnerabilities wide open across your attack surface. VPNs, MDM products, Exchange Servers, RDP, Cloud resources, Virtual Desktops and more – these all comprise a tempting attack surface, one you must patch and protect at all times. Trying to keep up quickly becomes more than you can manage effectively. There are just too many open ports and too many ways to access data for you to defend.

Also, keep in mind that the more security solutions there are controlling access to your organization, the higher your risk. Each solution is yet another attack vector you must constantly manage and patch. Your team must stay up to date on all emerging threats and solutions to keep your infrastructure as secure as possible.

Once inside the typical environment, hackers can quickly move laterally across your infrastructure to penetrate other resources and applications, thus compromising your data integrity – both on-premise and in the cloud. We saw this clearly in the recent SolarWinds attack. Hackers can stay in stealth mode for months or even years, continuing to pilfer your data, information, usernames and passwords to leverage for later attacks. Or they can immediately launch costly ransomware attacks and cripple your entire agency.

If it takes years to implement a data-centric approach to Zero Trust, what happens in the interim? Can you truly say you are fully protected? Is that hacker already camping inside your infrastructure still able to wreak havoc, even after you went through implementing the cumbersome, complicated Zero Trust data-centric approach?

The reality is that if you lose focus on access control, even with a data-centric approach you are still at risk.

Speed to Zero (Trust)

Data-focused Zero Trust solutions usually require a complex, hard-to-deploy, rip-and-replace approach. It can take years to implement — critical time lost, accompanied by escalating costs, all while new threats continue to evolve and attack.

However, with an access-based approach, you rapidly accelerate your speed to Zero Trust. That’s because you don’t have to re-architect your entire network and all your applications, and you don’t have to install an entire new layer of infrastructure just to protect access to your data.

An access-based approach is designed to speed up the process – for instance, Total Access Control (TAC), our Zero Trust Access solution, is implemented very quickly, without changing your existing infrastructure.

This allows you to implement your Zero Trust strategy at your own pace without the need to do a rip-and-replace of your current infrastructure. TAC is also scalable across your agency: along the way you can consolidate your legacy security solutions into TAC to generate even more time and cost savings.

End users and administrators find this access-based approach to Zero Trust makes their lives easier as well. For instance, in today’s hybrid world, TAC unifies access control over all your corporate data, resources and applications, wherever they may be – local or cloud.  It also allows you to define your own robust security policies for each resource and provides a centralized view over all access across your organization.

TAC enables you to close all the open ports that tempt hackers so much by removing them completely from your firewalls. Remote access solutions – like VPNs, RDP, Citrix and others – no longer require ports open to the outside of your infrastructure to provide access when using TAC. That’s a critical security consideration with the rapid rise in remote workers in today’s work-from-home world.

With its Zero Trust access-centric approach, TAC protects all your methods of access in one place, with stronger security policies and evaluation of not only user credentials, but their context of access as well. You will know who is requesting access, from where, the type of device the user has, and the security status of that device – along with many other factors you can incorporate that reveal the user’s true current disposition.

That context of access is then applied against your own security policies, specific to each application, to determine what resources are available to each user at that moment in time. And this all takes place seamlessly at TAC before the end user even touches your network.

TAC also provides critical segmentation of your most valuable assets. Instead of getting access to the entire network like many agencies allow today, users are only given access to the explicit resources they are authenticated need to do their jobs, such as applications. They are effectively captive within those named resources, so even if hackers were to compromise user credentials, they would also be captive inside only that application. This neutralizes their ability to attack other resources within your environment.

Put it all together, and TAC’s access-centric approach to Zero Trust offers a much faster route to a significantly more advanced security posture, while also making life easier for your end users and administrators alike.

Enabling the Enterprise

Last, but most important, is the overall impact an access-focused approach to Zero Trust has on innovation across your enterprise. TAC can help your organization to rapidly drive digital transformation – as shown most recently when government agencies used TAC to enable secure mobility during the pandemic with the mass global exodus of workers from offices to work from home.

An access-based approach to Zero Trust like TAC propels innovation at great speeds across your enterprise, allowing you, your IT team and your agency employees to do more creative things, more securely, more effectively and more efficiently, than ever before.

That’s where the real power of Zero Trust Access changes the game for your government agency.

If you would like to learn more about how Total Access Control can accelerate your government agency’s speed to Zero Trust, contact us at and be sure to check out our website.