facebook linkedin twitter

Government Agencies Make Progress Implementing Zero Trust

November 23, 2020 by Kate Michael

WASHINGTON — Zero Trust is an approach to the design and implementation of internet technology networks. This security concept developed out of the belief that organizations should not trust anything — either outside or inside — its perimeter. Therefore, everything must be verified before being granted access to the system. 

Zero Trust relies on various existing technologies, including multi-factor authentication, orchestration, analytics, encryption, and scoring and file system permissions to stop data breaches and ensure a secure network. 

The Federal News Network convened a panel of Federal IT practitioners to find out how agencies are implementing strategies and initiatives around Zero Trust particularly in the complex operating environment that emerged due to the pandemic.

“We might, without COVID, still just be talking about Zero Trust as a construct,” said Christopher Cleary, chief information security officer for the Department of the Navy. “Now, we’ve not only embraced [Zero Trust], we’re now directed [to use it]. 

“One of the things we found almost immediately was our capacity through VPNs just to try and keep everybody teleworking at home… we choked on it very quickly,” said Cleary. So in an attempt to introduce more capacity, the Navy created a commercial virtual response (CVR) environment to allow people to connect directly through their devices, whether government furnished equipment or personal equipment, from wherever they are without going through any security stacks. 

“From a chief information security officer, you’re focusing on that risk reduction and… implementing security. In the CTO office, we’re trying to understand how Zero Trust fits into all of the IT goals that the CIO wants to do,” said Brian Campo, acting chief technology officer at the Department of Homeland Security. “Part of [Zero Trust] is a mission, part is just optimization. We’ve tried to increase capability as we reduce risk, and we [also] knew VPNs would be difficult in the age of COVID.” 

Even before moving to telework, the Department of Homeland Security and U.S. Customs and Border Protection were already moving things to the cloud, which made the transition to Zero Trust that much easier. 

“[You used to have your] inside, trusted network… and everything on that network was trusted equally,” said Alma Cole, chief information security officer at U.S. Customs and Border Protection. “And you have issues there with your weakest link. And we’re getting rid of that paradigm to where now it’s just the one unit that’s linking in, accessing exactly what it needs to do. And if there’s a breach, it limits the damage that could be done.”

“What we demonstrated was that we could really establish a very secure, almost overly secure environment… [where we] could almost monitor every keystroke,” said Cleary.

Private partners, like Verizon, Okta, and Fortinet are helping these government agencies enable the right access, to the right people, in the right context, while evaluating those permissions continuously. These partners are providing Zero Trust products and services that can be integrated into both wire lines and wireless networks. 

“While federal facilities are very secure, the weak link is all of those little companies that supply you,” said Junaid Islam, director of Public Sector for Verizon. “As we look long term at how people are going to work… work from home or distributed working is here to stay,” so these partners work with agencies to implement their entire security stack with strong identity checks and cryptographic controls. Because ultimately, identity management is the key element of Zero Trust architecture.”

“As challenging as it can be for Federal partners to do Zero Trust [at the agency level], it’s harder in an international or global environment,” added Jim Richberg, field chief information security officer at Fortinet. Yet agencies are working to use their Zero Trust architecture to make Cloud infrastructure behave as needed.

“In addition to the heightened security requirements that we have, now we’re also really trying to build common operational pictures across all of the various mission sets that we have,” said Cole. At USCBP and elsewhere, he’s looking for Zero Trust to enable offices to receive the information they need anywhere, anytime; maintain intelligence about everything going on in the network; and automate so that “we’re not chasing down problems, systems, or users, to deal with breaches or other issues.” 

“When you look through the breadth of what the Navy is [required] to do, [we try to] balance enterprise services with warfighting functions,” said Cleary. “It’s going to change the way we work. Reduction of physical facilities is flattening the network… We can have workers anywhere on the planet and won’t need legacy architecture. That’s big for us.” 

A+
a-

Cybersecurity

November 22, 2021
by Kate Michael
Klobuchar Weighs in on CAP’s New Report on Tech Regulation

WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms,... Read More

WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms, introducing a number of bills and even publishing a book titled “Antitrust” that looks at the history of policy toward trusts and monopolies and details how... Read More

November 13, 2021
by Victoria Turner
US Cyber Attack Defenses Assessed at Forum

WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving... Read More

WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving cyber threats from bad actors overseas, a former assistant secretary of defense said Friday. Speaking at an American Enterprise Institute event, Paul Stockton, who is now... Read More

November 9, 2021
by Dan McCue
SolarWinds Sued By Shareholders Over Epic 2020 Data Breach

GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors... Read More

GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors should have known of, and yet did nothing to mitigate, the risk of the massive data breach that took place in 2020. The plaintiffs, led by... Read More

October 26, 2021
by Tom Ramstack
Bigger Government Role Expected to Protect Industry From Hackers

WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional... Read More

WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional panel Tuesday that more government intervention is needed. On Monday, Microsoft announced that Russia-backed hackers were trying to steal information technology to disrupt the global supply... Read More

October 22, 2021
by Reece Nations
Commerce Department Tightens Export Controls on Cybersecurity Items

WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls... Read More

WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls over cybersecurity items such as cyber intrusion software that can be used maliciously. The department’s new policy also creates a new license exception for authorized cybersecurity... Read More

October 14, 2021
by Victoria Turner
Cybersecurity Experts Point to More Investment Needed in Detection, Response

WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing... Read More

WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing emails, more than 85% of cyberattacks would be prevented, said Sen. Angus King, I-Maine, Thursday.  “The best hack is the one that doesn’t happen,” King said... Read More

News From The Well
scroll top