Government Agencies Make Progress Implementing Zero Trust
WASHINGTON — Zero Trust is an approach to the design and implementation of internet technology networks. This security concept developed out of the belief that organizations should not trust anything — either outside or inside — its perimeter. Therefore, everything must be verified before being granted access to the system.
Zero Trust relies on various existing technologies, including multi-factor authentication, orchestration, analytics, encryption, and scoring and file system permissions to stop data breaches and ensure a secure network.
The Federal News Network convened a panel of Federal IT practitioners to find out how agencies are implementing strategies and initiatives around Zero Trust particularly in the complex operating environment that emerged due to the pandemic.
“We might, without COVID, still just be talking about Zero Trust as a construct,” said Christopher Cleary, chief information security officer for the Department of the Navy. “Now, we’ve not only embraced [Zero Trust], we’re now directed [to use it].
“One of the things we found almost immediately was our capacity through VPNs just to try and keep everybody teleworking at home… we choked on it very quickly,” said Cleary. So in an attempt to introduce more capacity, the Navy created a commercial virtual response (CVR) environment to allow people to connect directly through their devices, whether government furnished equipment or personal equipment, from wherever they are without going through any security stacks.
“From a chief information security officer, you’re focusing on that risk reduction and… implementing security. In the CTO office, we’re trying to understand how Zero Trust fits into all of the IT goals that the CIO wants to do,” said Brian Campo, acting chief technology officer at the Department of Homeland Security. “Part of [Zero Trust] is a mission, part is just optimization. We’ve tried to increase capability as we reduce risk, and we [also] knew VPNs would be difficult in the age of COVID.”
Even before moving to telework, the Department of Homeland Security and U.S. Customs and Border Protection were already moving things to the cloud, which made the transition to Zero Trust that much easier.
“[You used to have your] inside, trusted network… and everything on that network was trusted equally,” said Alma Cole, chief information security officer at U.S. Customs and Border Protection. “And you have issues there with your weakest link. And we’re getting rid of that paradigm to where now it’s just the one unit that’s linking in, accessing exactly what it needs to do. And if there’s a breach, it limits the damage that could be done.”
“What we demonstrated was that we could really establish a very secure, almost overly secure environment… [where we] could almost monitor every keystroke,” said Cleary.
Private partners, like Verizon, Okta, and Fortinet are helping these government agencies enable the right access, to the right people, in the right context, while evaluating those permissions continuously. These partners are providing Zero Trust products and services that can be integrated into both wire lines and wireless networks.
“While federal facilities are very secure, the weak link is all of those little companies that supply you,” said Junaid Islam, director of Public Sector for Verizon. “As we look long term at how people are going to work… work from home or distributed working is here to stay,” so these partners work with agencies to implement their entire security stack with strong identity checks and cryptographic controls. Because ultimately, identity management is the key element of Zero Trust architecture.”
“As challenging as it can be for Federal partners to do Zero Trust [at the agency level], it’s harder in an international or global environment,” added Jim Richberg, field chief information security officer at Fortinet. Yet agencies are working to use their Zero Trust architecture to make Cloud infrastructure behave as needed.
“In addition to the heightened security requirements that we have, now we’re also really trying to build common operational pictures across all of the various mission sets that we have,” said Cole. At USCBP and elsewhere, he’s looking for Zero Trust to enable offices to receive the information they need anywhere, anytime; maintain intelligence about everything going on in the network; and automate so that “we’re not chasing down problems, systems, or users, to deal with breaches or other issues.”
“When you look through the breadth of what the Navy is [required] to do, [we try to] balance enterprise services with warfighting functions,” said Cleary. “It’s going to change the way we work. Reduction of physical facilities is flattening the network… We can have workers anywhere on the planet and won’t need legacy architecture. That’s big for us.”
In The News
WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms,... Read More
WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms, introducing a number of bills and even publishing a book titled “Antitrust” that looks at the history of policy toward trusts and monopolies and details how... Read More
WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving... Read More
WASHINGTON — The U.S. is at risk of creating a two-silo cybersecurity strategy impeding its ability to adequately address ever-evolving cyber threats from bad actors overseas, a former assistant secretary of defense said Friday. Speaking at an American Enterprise Institute event, Paul Stockton, who is now... Read More
GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors... Read More
GEORGETOWN, Del. — Shareholders are suing software provider SolarWinds Corp. in the Delaware Court of Chancery claiming the company directors should have known of, and yet did nothing to mitigate, the risk of the massive data breach that took place in 2020. The plaintiffs, led by... Read More
WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional... Read More
WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional panel Tuesday that more government intervention is needed. On Monday, Microsoft announced that Russia-backed hackers were trying to steal information technology to disrupt the global supply... Read More
WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls... Read More
WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls over cybersecurity items such as cyber intrusion software that can be used maliciously. The department’s new policy also creates a new license exception for authorized cybersecurity... Read More
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing... Read More
WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing emails, more than 85% of cyberattacks would be prevented, said Sen. Angus King, I-Maine, Thursday. “The best hack is the one that doesn’t happen,” King said... Read More