The Home and Community department and the housing ministry are on the approach of implementing zero-trust security in the government of New Zealand. After COVID-19 transformed the risk profile of the company, it rapidly introduced laptops and remote access for its employees and led the Home and Community department as a member of the Government Information Security Forum. Zero trust does not replace perimeter safety but works on the presumption that an infringement has taken place. Under the model, system access requests are treated as if they came from an open network on a “never trust, always verify” basis.
Sophisticated intelligence and analytics are then deployed to detect and respond to anomalies in real-time. The Data Protection Officer, the Information Manager and the cyber security / IT security manager of the Home and Community department worked closely together to protect information that can be personally identified. In its 2022 financial year, the agency also had 21 projects under its programme, while the Home and Community Department reported to the Social Services Parliament and the community selection committee in June. They did not discuss these in full for safety reasons but rather described their motifs and three primary regions.
With plans to centralise the country’s 20 District Health Boards (DHBs) into a single health service, we need to be confident that the IT systems undergirding such crucial public services are robust and that sensitive data remains safe – and a Zero Trust network is the best way to do that.
– New Zealand country manager at a global provider of the cyber security company.
To start, a zero-trust network architecture would be deployed to reduce the attack surface that could be compromised in a cyber-event, as well as the impact and recovery times of any compromise. Employees from the Home and Community Department were given awareness training so that they could practise what to do if they encountered unusual behaviour on systems or phishing emails.
Finally, identity management and governance were being developed to provide “robust control” over people accessing the agency’s systems, ensuring that they had the right of access and that it was removed when no longer required. This would also provide auditable evidence of all changes. A programme was also in the works to convert the Ministry of Housing to a zero-trust model to improve the security architecture that had already been implemented. At the time of the report, this was being undertaken as an operational project within the ministry’s standard “steady-state” operating costs.
“Further consideration is being taken to accelerate part or all of this project,” the report said. “At this stage, any costs to do this have not been scoped but would be anticipated between $60,000 and $80,000.” All ministry systems were already in the cloud with data either in the electronic document records management system (EDRMS) or in a data platform.
All information stored in the ministry’s EDRMS was licenced under cloud adopter licencing, ensuring the highest level of security. Furthermore, through the Ministry’s managed desktop subscription with the cloud provider, the Ministry has direct access to the cloud’s 24×7 system and organisation controls (SOC), which provided advance alerting and early warning of potential threats.
These expenditures and changes were within the usual cost of the ministry’s subscription service. Correspondingly, the Biden administration announced an executive order in May to improve the cyber security of the United States, partially through the implementation of a zero-trust framework. New Zealand’s country manager of a global provider of the cyber security company, said New Zealand should follow the U.S. and set a robust, safe framework for IT systems, which was even more important after a range of cyber-attacks on organisations.