Kāinga Ora and the Ministry of Housing appear to be on point to lead the adoption of zero trust security in New Zealand government.
Kāinga Ora led a zero trust architecture working group as part of the Government Information Security Forum after COVID-19 changed the organisation's risk profile as it rapidly deployed laptops and remote access for staff.
Zero trust does not replace perimeter security, but does operate on the assumption a breach has occurred. Under the model, system access requests are treated as if they came from an open network on a “never trust, always verify" basis.
Sophisticated intelligence and analytics are then deployed to detect and respond to anomalies in real time.
As part of its programme, Kāinga Ora's privacy officer, information manager and cyber security/IT security manager worked closely to ensure personally identifiable Information was protected.
The agency also had 21 projects planned for delivery under its cyber security initiatives programme in its 2022 financial year, Kāinga Ora told Parliament's social services and community select committee in June.
For security reasons, Kāinga Ora did not outline these in detail but did describe their themes and three main areas of focus.
Firstly, a zero trust network architecture would be deployed to reduce the attack surface that could be compromised in a cyber-event and to reduce the impact of any compromise and recovery times.
Awareness training was being provided to Kāinga Ora staff to ensure that they could practice what to do in the event of encountering unusual behaviour on systems or phishing emails.
Finally, identity management and governance was being developed to provide a "robust control" over people accessing Kāinga Ora systems, ensuring that they had right of access and that this was removed when no longer required.
This would also deliver auditable evidence of all changes.
The costs of the projects were not available at the time of the report and Kāinga Ora did not respond to requests for further details about its security initiatives.
A programme was also under way to convert to the Ministry of Housing to a zero trust model to enhance the security architecture it had already deployed.
At the time of the report, this was being undertaken as an operational project within the ministry's standard "steady state" operating costs.
"Further consideration is being taken to accelerate part or all of this project," the report said. "At this stage any costs to do this have not been scoped but would be anticipated between $60,000 and $80,000."
All ministry systems were already in the cloud with data either stored within Office 365, the SharePoint-based electronic document records management system (EDRMS) or in Microsoft's Azure data platform.
All information stored within the ministry’s EDRMS was licensed under Microsoft 365 E5 licensing, providing the optimum level of security.
"In addition, through the Ministry’s Microsoft managed desktop subscription, the Ministry has direct access to the Microsoft 24x7 system and organisation controls (SOC) which provided advance alerting and early
warning of potential threats.
The costs of these as well as updates were within the ministry's standard subscription service costs.
In May, the Biden administration announced an executive order aimed at improving the United States’ cybersecurity, in part by implementing a zero trust framework.
Misti Landtroop, New Zealand country manager at Palo Alto Networks, said the New Zealand government should follow the US and implement a robust and secure framework for our IT systems, something that had become even more crucial following a string of cyber-attacks against, among others, Lion, Toll Group, Fisher & Paykel Appliances and, most prominently, Waikato DHB.
"Surgeries were delayed, confidential patient information was sent to the media by the hackers and questions were asked about whether the other DHBs had taken the necessary steps to avoid a similar fate," Landtroop said.
"With plans to centralise the country’s 20 DHBs into a single health service, we need to be confident that the IT systems undergirding such crucial public services are robust and that sensitive data remains safe - and a Zero Trust network is the best way to do that."
This was especially the case as the perimeters of New Zealand organisations had expanded due to the pandemic and therefore easier to breach.