Large numbers of private and public sector organizations have shifted to a zero trust architecture. Each organization takes a different approach to implement zero trust concepts. Still, the goal is to bring together emerging and existing technologies to ensure users and their staff experience is secure and effortless, Federal leaders said Jan. 18 during a Federal News Network virtual event.
Dorothy Aronson, the chief information officer at the National Science Foundation (NSF), said at NSF, zero trust underpins several other efforts around improving the customer experience, modernizing the infrastructure, and converging disparate and older systems.
“We have been integrating the zero trust approach as we modernize everything else; it’s all one single integrated approach,” she said. For example, she added that two-factor authentication would be required from here on.
“There is no longer a central data center; there is no longer a single wall protecting everything. It’s rather you tell us who you are, and we give you what you need. So, you can move outside of this small town; you can be wherever you want to be, as long as we know for sure who you are, that’s where this identity piece is critical,” Aronson said.
For years, agencies have evolved their identity and access management (IDAM) processes. But it was not until the pandemic that the actual value and need for more advanced IDAM capabilities became clear. The access-based access framework is the future for many organizations as applications and workloads move to the cloud.
James Saunders, a senior advisor for cybersecurity at the Office of Personnel Management (OPM), said the move to zero trust began with their move to the cloud.
“We’re now heavily leveraging the cloud, with the Cybersecurity and Infrastructure Security Agency’s [CISA] draft zero trust maturity model and [Office of Management and Budget] OMB draft memo,” he said.
OPM is leveraging both guidance to draft their zero trust strategy, which includes the following pillars: data, identity, device, network, and application. The agency has a set of projects pushing it towards that optimum maturity model set forth by CISA.
“For example, with data, one of the things that it calls us for is to have a data inventory and a data classification scheme. We’re partnering with our privacy team and chief data officer team to figure out what solution, what processes, and what people we will need to bring in to help us accelerate and address that pillar,” Saunders said. He added that those same conversations are happening across all the zero trust pillars through OPM’s zero trust governance team.