Government Agencies Make Progress Implementing Zero Trust

WASHINGTON — Zero Trust is an approach to the design and implementation of internet technology networks. This security concept developed out of the belief that organizations should not trust anything — either outside or inside — its perimeter. Therefore, everything must be verified before being granted access to the system. 

Zero Trust relies on various existing technologies, including multi-factor authentication, orchestration, analytics, encryption, and scoring and file system permissions to stop data breaches and ensure a secure network. 

The Federal News Network convened a panel of Federal IT practitioners to find out how agencies are implementing strategies and initiatives around Zero Trust particularly in the complex operating environment that emerged due to the pandemic.

“We might, without COVID, still just be talking about Zero Trust as a construct,” said Christopher Cleary, chief information security officer for the Department of the Navy. “Now, we’ve not only embraced [Zero Trust], we’re now directed [to use it]. 

“One of the things we found almost immediately was our capacity through VPNs just to try and keep everybody teleworking at home… we choked on it very quickly,” said Cleary. So in an attempt to introduce more capacity, the Navy created a commercial virtual response (CVR) environment to allow people to connect directly through their devices, whether government furnished equipment or personal equipment, from wherever they are without going through any security stacks. 

“From a chief information security officer, you’re focusing on that risk reduction and… implementing security. In the CTO office, we’re trying to understand how Zero Trust fits into all of the IT goals that the CIO wants to do,” said Brian Campo, acting chief technology officer at the Department of Homeland Security. “Part of [Zero Trust] is a mission, part is just optimization. We’ve tried to increase capability as we reduce risk, and we [also] knew VPNs would be difficult in the age of COVID.” 

Even before moving to telework, the Department of Homeland Security and U.S. Customs and Border Protection were already moving things to the cloud, which made the transition to Zero Trust that much easier. 

“[You used to have your] inside, trusted network… and everything on that network was trusted equally,” said Alma Cole, chief information security officer at U.S. Customs and Border Protection. “And you have issues there with your weakest link. And we’re getting rid of that paradigm to where now it’s just the one unit that’s linking in, accessing exactly what it needs to do. And if there’s a breach, it limits the damage that could be done.”

“What we demonstrated was that we could really establish a very secure, almost overly secure environment… [where we] could almost monitor every keystroke,” said Cleary.

Private partners, like Verizon, Okta, and Fortinet are helping these government agencies enable the right access, to the right people, in the right context, while evaluating those permissions continuously. These partners are providing Zero Trust products and services that can be integrated into both wire lines and wireless networks. 

“While federal facilities are very secure, the weak link is all of those little companies that supply you,” said Junaid Islam, director of Public Sector for Verizon. “As we look long term at how people are going to work… work from home or distributed working is here to stay,” so these partners work with agencies to implement their entire security stack with strong identity checks and cryptographic controls. Because ultimately, identity management is the key element of Zero Trust architecture.”

“As challenging as it can be for Federal partners to do Zero Trust [at the agency level], it’s harder in an international or global environment,” added Jim Richberg, field chief information security officer at Fortinet. Yet agencies are working to use their Zero Trust architecture to make Cloud infrastructure behave as needed.

“In addition to the heightened security requirements that we have, now we’re also really trying to build common operational pictures across all of the various mission sets that we have,” said Cole. At USCBP and elsewhere, he’s looking for Zero Trust to enable offices to receive the information they need anywhere, anytime; maintain intelligence about everything going on in the network; and automate so that “we’re not chasing down problems, systems, or users, to deal with breaches or other issues.” 

“When you look through the breadth of what the Navy is [required] to do, [we try to] balance enterprise services with warfighting functions,” said Cleary. “It’s going to change the way we work. Reduction of physical facilities is flattening the network… We can have workers anywhere on the planet and won’t need legacy architecture. That’s big for us.”