Cyber hackers have widely adopted a simple but effective method of gaining access to targets’ data. They use phishing to harvest credentials, then sign on as trusted users.
That’s where a zero trust strategy comes in. By establishing a zero trust architectures, federal agencies can make it so that sign-on credentials are only part of what users need to gain access to applications and data.
“To have zero trust everywhere, make it so that just by the access of getting on the network or getting in from a credential perspective doesn’t give you access to everything,” said Jose Padin, vice president of solutions consulting for U.S. public sector at Zscaler.
Granting access only to what’s needed, when it’s needed
“In 2025 we have multiple zero trust frameworks that are out there, but they’re all relatively the same,” Padin said during Federal News Network’s Accelerate Together: Zero Trust 2025. “It’s about making sure that people access the resources that they need at the point in time that they need them — when they’re authorized to get access to them.”
To do that, agencies need to construct boundaries that prevent lateral movement throughout your network, Padin said.
“Why would you want someone to have unfettered access?” he said. “That was the way that we did things in the ’90s. We had a user that came on. They went to a physical location. They got access to a resource that’s on that network.”
It was appropriate for the technology of the time. “The lens of security was through the lens of network access,” he said.
Today, agency infrastructures encompass both on-premise data centers and commercial cloud environments. Simply by virtue of logging on with a valid credential, no one should be granted access to everything, Padin said.
Zscaler’s approach is to change the architecture by which agencies typically route traffic. In a typical scenario, agencies use virtual private networks (VPNs) then “hairpin” traffic back to a trusted internet connection (TIC) infrastructure hosted on government premises, and from there go out to the internet.
“That logically doesn’t make a lot of sense,” Padin said. “And from a security perspective, if the person’s going to the internet, why are we forcing them back on prem to a physical location?”
Applying different lens for vetting access
By contrast, Zscaler adopts a more upfront vetting approach, he said. “If you’re going to the internet, secure that traffic en route to the internet.”
Such traffic passes through the Zscaler platform, where “we’ll inspect it. We’ll run our [scans] against it,” Padin said. “All of the things that you would get in big, expensive on-prem security infrastructure, you get in the cloud.”
Rather than through the lens of network access, Zscaler focuses on security applications and data. “We think of it through the lens of transformation and evolution,” Padin said.
That takes the form of the company’s three-part Zero Trust Exchange, which enforces policies, adds threat detection and data protection, and performs identity verification.
“Removing attack surface and allowing only authenticated access to even know where the crown jewels are located is a huge increase in your security posture,” Padin said.
By inserting the Zero Trust Exchange, Zscaler turns off inbound network connections until users are verified. He said verification extends beyond human users and their devices to Internet of Things and network devices that also make up an organization’s infrastructure.
This implies that authentication is a key ingredient in zero trust.
“The heart of zero trust is authentication,” Padin said. “You need to make sure that users can authenticate and that you can put that in effectively across the agency.”
Thus, in a zero trust environment, “the only thing that’s allowed are authenticated connections through the Zero Trust Exchange to the application and data,” he said. “There’s no network path. It’s only user or workload access at that point.”
Two-step path to zero trust transformation
Padin advised a two-step approach to zero trust transformation.
The first critical step focuses on user access.
“It’s easier to transform that,” Padin said. “It’s simpler to move the users, take their traffic, send it to Zscaler, reduce your attack surface and allow zero trust access.”
The side benefits of this approach include improved performance monitoring of applications and data on user patterns and behaviors, he said.
“Not network performance, but actual application performance,” Padin said. “What is a known good behavior for that user? Is there a delta to that? There’s all kinds of visibility you get into actual application performance when you do that first step.”
The second step consists of applying zero trust principles to workloads.
“It’s not just users that are on these networks, and it’s not just users that are attack vector,” Padin said. “We want to use zero trust principles for our workloads.”
He explained the difference in this way: “If I’m a user and I’m typing in to a browser that’s user access. If there’s an automated, maybe application processing interface–driven or more of a network protocol–driven access, then that would be what we would call workload.”
Running either type of traffic through the Zscaler platform, he added, yields what he called “zero trust everywhere.”
Padin said that a zero trust approach to security adds to the operational efficiency sought by the Department of Government Efficiency.
“Obviously, we’re living in a time of change,” he said. “When we think about using zero trust principles, there’s a huge benefit to agencies, and many agencies have already reaped these rewards.” Padin said that more than a dozen cabinet agencies have adopted Zscaler’s approach.
With cloud-hosted services, agencies no longer must buy expensive firewalls, TIC services and physical security measures, he said. They’re expensive to acquire and to operate, Padin added.
“Sending security to the cloud, where the user is going to on the internet, is much more efficient and a much better bang for your buck from an investment perspective.”
Discover more articles and videos now on Federal News Network’s Accelerate Together: Zero Trust 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
