As federal agencies implement zero trust (ZT) as directed by the White House “Executive Order on Improving the Nation’s Cybersecurity,” there’s growing concern that zero trust architecture and great user experiences can’t coexist.
In fact, several months ago, I tried to set up multi-factor authentication (MFA) for my account with a federal service. I filled out a form, input my government ID information, and waited for a confirmation code that never came. After 45 minutes, I started over again without success. Then, the system told me to call a number to set it up manually.
In contrast, setting up MFA with my bank account takes less than 45 seconds.
Can zero trust architecture actually improve user experiences?
Across the public and private sectors, experts agree that the essential concepts behind ZT—trust nothing, verify everything, and enforce least privilege—could lay the foundation of a lasting, formidable defense against cyber adversaries.
But the zero trust security model impacts a wide range of public-facing systems, as well as those upon which approximately nine million federal government employees depend to support their missions and day-to-day tasks. So, we can’t treat user experiences, both customers/citizens and agency employees, as an afterthought. Agencies need to incorporate user experience into ZT from the very beginning.
My fellow government and industry participants and I explored this and other ideas in a recent Advanced Technology Academic Research Center (ATARC) panel session, “Capturing the Positive, User Centric, Zero Trust Unicorn.” For too many years, the industry primarily focused on protecting the system without enough regard for users. If they got frustrated by jumping through a series of virtual hoops to authenticate themselves, their frustration was of secondary concern (if it was of any concern at all). Fortifying the system was all that mattered.
In the modern age, however, we must change our thinking. While nearly four of five federal cybersecurity decision-makers feel a “strong” sense of urgency to implement ZT, a notable number struggle to juggle “competing priorities” in pursuing ZT while supporting daily operations.
This means agencies want to implement zero trust architecture, but not at the cost of impeding or otherwise impairing the user experience. Technical hurdles in the form of security steps should not keep customers/citizens from taking advantage of government resources, nor create bottlenecks for federal employees who are just trying to do their jobs.
Best practices for implementing zero trust with users in mind
During our panel, we launched what will be an ongoing discussion about how to implement zero trust while delivering positive user experiences by using the following two best practices:
Keep authentication simple, and even invisible
To simplify, the zero trust architecture should make users’ lives easier by validating through MFA just once. After that, the system should grant users and their devices indefinite access to appropriate resources.
Making authentication “invisible” is even better; advancements in biometrics—answering the “are you really you?” question via fingerprint, facial or iris scan, or voice recognition—promise to get us there some day. What’s more, an emerging technology called behavioral biometrics is taking this concept further. Behavioral biometrics create user authentication profiles based on how users type on a keyboard, swipe a screen, hold a device, and so on. The technology rests on the premise that no two users interact with devices the same way.
With invisible authentication, in most cases, users don’t even realize they’re going through a security process. The process will operate in the background, continuously, but entirely unobtrusively.
To ensure zero trust security is effective without hindering user experiences, agencies need full-stack observability of multicloud infrastructure, applications, real-time transactions, and user experiences. An observability solution can provide insights into user realities in conjunction with the effectiveness of ZT security policies.
Once teams can see what’s happening, then they can measure what’s happening. Do zero trust policies provide appropriate access to desired technology? Do they perform within service level agreements (SLAs)? Are users able to complete their missions? By measuring these key performance indicators, agencies can analyze user experiences to understand how ZT has affected them and what steps to take to improve them.
Automatic and intelligent observability for great zero trust user experiences
At Dynatrace, we believe zero trust and great user experiences can coexist. One of my fellow panelists, in fact, identified himself as a “customer enthusiast,” and we perceive ourselves in the same light. We realize today’s customers—and employees—will go somewhere else if they have to navigate a maze of endless security measures at the expense of mission objectives.
So, we strongly feel that security alone isn’t enough. Agencies are accountable not only as government cyber defenders, but also to deliver services to customers/citizens and internal employees. By combining automatic and intelligent observability with AI-driven insights into digital experiences, agencies can create user experiences that are both seamless and protected. As a result, agencies can greatly enrich federal IT systems as a whole.
To learn more about how Dynatrace helps government agencies achieve zero trust and great user experiences, check out our whitepaper, Implementing zero trust for federal agencies.