Driven by a range of mandates, federal IT leaders are asking themselves how far along they are on the zero trust learning curve. They’re right to ask: A zero trust approach promises to help address long-standing vulnerabilities, risks made worse by remote work, migration to the cloud, and other trends.
While zero trust is not a new concept, it has gained momentum.
The recent Executive Order on Cybersecurity is “fundamentally game-changing,” said Amy Hamilton, senior cybersecurity advisor, policy and programs, at the U.S. Department of Energy, speaking at a recent GovLoop’s online training Tuesday.
She pointed to guidance from the U.S. Office of Management and Budget and a laundry list of directives related to zero trust. These requirements, and recent cyber exploits, all highlight the urgent need for improvement.
Zero trust adoption means “really moving away from that legacy mindset into an entirely new paradigm,” she said.
The pandemic shift to remote connectivity sounded the death knell for the perimeter-based security model. Now defense is more like a “force field,” she said, surrounding key assets and adapting to changes as they happen. To achieve that end state, IT leaders need to “bring in all the modern technology that you can,” including machine learning, AI, and automation.
In this scenario, cyber defense happens automatically, based on threat intelligence. “If you have this set up dynamically, then what you can do is adjust it so that when people are starting to probe into your network, you’re able to go ahead and respond accordingly,” she said.
The U.S. Army Corps of Engineers needs to ensure the safety of critical infrastructure such as dams and waterways. In terms of zero trust, the Corps isn’t just worried about locking down its data, but also about making the data available — in appropriate ways.
In disaster relief, for instance, “we actually are required to share data with external civilian agency customers and partners,” said Dovarius Peoples, the Corps’ CIO. “Our goal is to enable all users that need access to the data…to access it in a more secure manner.”
That starts with understanding who is accessing the data, and why, especially when it comes to critical, high-value data. Zero trust then drives the effort to ensure secure connectivity.
“As we work in a remote environment, you have users trying to connect to different data stores,” Peoples said. “Zero trust allows you to be able to implement, as well as access, a lot of that data in a more secure manner, regardless of where it is that you’re coming from.”
Within the Corps, this extends beyond the conventional IT network, to embrace data that resides in the realm of operational technology, or OT. To that end, the Corps has stood up an OT center of excellence supported by the critical-infrastructure team.
Through that center, the Corps has developed a zero trust playbook, specifically in support of OT needs. “We’re beginning to see how you implement zero trust to protect your levee, your critical waterways, and infrastructure, to allow the nation… to operate efficiently and effectively,” Peoples said.
This online training was brought to you by: