Department of Homeland Security (DHS) Deputy Chief Technology Officer Brian Campo said that DHS has finalized the final draft of a two-year roadmap for adoption of the zero trust security model.
During a GovExec virtual event on zero trust architecture on Oct. 14, Campo said the draft zero trust roadmap was developed by focusing on use cases, on guidance for zero trust architecture finalized by the National Institute of Standards and Technology (NIST) in August, and on input from DHS’s Cybersecurity and Infrastructure Security (CISA) component.
Campo said DHS looked at an incremental phased approach to zero trust, looked at what NIST and CISA had to say, and then tried to figure out “what we can do better” for the agency. He added the DHS roadmap will help to “guide industry to know what we are looking for.”
He said “overarching guidance like the NIST and CISA guidance are important … they set a ground-level truth” for zero trust. He added that CISA’s Trusted Internet Connections (TIC) modernization effort “goes right along with zero trust.”
“They are a base fundamental guidance about what you want to do” for considering zero trust adoption, Campo said. But then, it’s still up to each Federal agency to tailor their approach by understanding their own particular mission needs and expected threat vectors.
Speaking more generally about zero trust, Campo said the model is ripe to replace the “archaic model” of perimeter defense. “We don’t have a [network] boundary any more … it’s really amorphous.”
Rather, he explained, continual increases in network threat vectors reinforces the thinking that every network endpoint may be suspected to be hostile, and zero trust provides a more proactive posture to network owners when threat vectors are rising.
With zero trust, Campo said, “there is no pre-defined security … what you are doing is looking at every new request as a new request for service.” Zero trust, he said, “gives us a new way to handle security, and gives us new paradigms.” He continued, “we are doing security not at the gateway, but at the endpoint … there is not just one access method anymore, and each can take into account different factors” including password, GPS location, what is installed on the endpoint, routes taken by data, among others. As a result, he said, “we have much more context that we can use.”
Those abilities become even more important, Campo indicated, while many Federal employees are working remotely during the coronavirus pandemic. “We are seeing more people working from many more untrusted locations,” he said, versus when many worked from offices that were considered to be controlled access points.
Zero trust, he said, “becomes absolutely vital in this environment,” adding it represents “one of the most important frameworks for security that we have seen, especially in the current times.”