Federal agencies have been tasked with implementing zero trust architectures to protect valuable systems, networks, and data from cyber threats. However, there is no one size fits all zero trust implementation plan, as Federal officials showed in discussing their agencies’ progress during a June 8 webinar hosted by ATARC.
Gerald Caron III, chief information officer for the International Trade Administration at the U.S. Department of Commerce, said one challenge in implementing zero trust security is shifting staffers away from the traditional ‘castle and moat’ security ideology.
“With such a large organization it is difficult to manage every device that is trying to access data,” he said. “But that is not what zero trust is, it’s about understanding your data flows. If you don’t have that baseline of understanding it’s going to be awful hard to protect things when things go sideways.”
The bright side, according to Caron, is that many organizations already have the means to adopt this data understanding process and move away from old perimeter defense ideology and towards a zero trust security framework.
“It’s about really doing that agile assessment and understanding what your majority is … and then [understanding] where your gaps are and then looking at how to fill those gaps,” he said, adding that a lot of people start the process with identity.
Michele Thomas, chief information security officer (CISO) for the Office of the Under Secretary, Science and Technology Directorate at the U.S. Department of Homeland Security, agreed with Caron, adding that it’s impossible to know everything and manage every device. However, what is possible is documenting and better understanding access, she said.
Thomas also hinted at a hidden benefit to implementing a zero trust framework – the big-picture cost of modernization.
“Those of us that are coming into zero trust or who haven’t fully implemented all the things that we are directed to implement … this is an opportunity to possibly replace [legacy systems] with a zero trust solution or technology that might do what the old solution did at a lesser cost. It doesn’t always happen that way, but there are some opportunities out there,” Thomas said.
While her fellow panelists agreed with her assessment of cost-saving benefits, some pointed out that the zero trust directives agencies have received also may be unfunded mandates.
“I think a lot of people don’t recognize the momentum and the pressure that we get to implement these things without the requisite funding to satisfy those requirements,” said Joe Lewis Sr., CISO and Director for the Cyber Security Program Office at the Centers for Disease Control and Prevention (CDC) at the U.S. Department of Health and Human Services.
For the CDC, he explained, modernizing legacy applications and tooling with zero trust in mind is how they have dealt with the challenge of meeting these unfunded requirements.
“Every week we’ve got new tools and there’s some new vendor that will come out and say they can solve all your problems tomorrow if you just sign on the dotted line. But what we need is a strategy on how to manage the development lifecycle as we deprecate old capabilities when we go to generate requirements for the new capabilities,” Lewis said.
“Now we have an additional set of requirements that helps drive our purchasing decisions,” he said. “What that does is, it gives you an overarching strategy by which to approach the deployment of tools and capabilities.”