From executive orders to Office of Management and Budget guidance, a range of mandates are driving federal IT leaders to take a closer look at their efforts to achieve a zero-trust security framework. In light of recent high-profile cyber exploits against government, agencies are looking to zero trust to help address long-standing vulnerabilities — risks made worse by remote work, migration to the cloud,
mobility and other trends.
Industry is looking to secure government operations in the cloud, and offering tools and platforms that help ensure agencies’ zero-trust implementations align with existing governance and policies. In a recent GovLoop online training, forward thinking federal technology leaders talked about their zero-trust trajectory, while vendor partners weighed in on industry’s role in supporting government’s zero-trust ambitions.
1. Focus on Enabling the Mission
“Zero trust doesn’t just aim to secure data and systems,” said Richard Breakiron, senior director for strategic initiatives in the Americas Federal Sector at Commvault. “Fundamentally, it’s a means to enable the government mission. It is about being operationally ready.”
The challenge in front of federal IT leaders is not just to secure their systems, but to do so in a way that meets both the current cyber threat, and supports their extensive agency mission sets, in order to enable effective business processes. The point isn’t just to keep people out, but rather to let them in — selectively.
“I don’t know anything about this virtual presence that has come knocking on my door, but now I need to totally, but maturely, vet them and let them go forward,” he said. And agencies need to do that “at scale and at speed,” he said.
Agencies don’t need to leap to zero trust all in one go, he noted. In this case, crawl-walk-run is “a very reasonable model,” he said. Agencies first must make the effort to understand who needs access to what data. If one aim of zero trust is to empower secure collaboration, “you want to figure out what that level of trust should be,” he said. That starts with “sitting down and defining those requirements,” he said. Industry can help by supporting a comprehensive initial assessment. “We actually go in with a fresh set of eyes,” he said. “We can put it in a framework that lays the groundwork for the end state.
2. Take a Data-Led Approach
To advance toward a zero-trust mindset, agencies must have a solid understanding of their data and applications landscape. “First, define what it is that you’re trying to protect,” said Kevin Cronin, vice president at Kelyn Technologies.
“It’s all about the data,” he said. “The applications are accessing the data, the people are accessing the data … that’s what everybody’s after.” He described this as a bi-directional consideration. IT leaders need to think about those who are creating the data, and also about where and how that data is stored.
At the same time, they need to ponder the relative value of the data on hand. “A Word doc with some directions on how to get to the supermarket is completely different than something with national security interest,” he said. “You need to understand what your data is.”
Government efforts to peer deeply into the relevance of data could, in turn, help industry to supply the most effective zero-trust solutions. “I think one of the things that government can help us with — ‘us’ being industry — is really defining that data,” he said. “Somebody needs to tell us what the value of each type of data is. Once we have that, then we can really create systems that will help tag the data
and move the data.”
Industry needs government to take these initial steps, he said, “to make sure that we’re doing it right.
3. Look to Cloud to Accelerate Zero Trust
As a cloud services provider, Amazon Web Services naturally looks to the cloud as a means of supporting agencies’ zero-trust ambitions. There’s a natural fit here, given “the natural properties of cloud,” said Sean Phuphanich, a senior solutions architect at AWS. In cloud, “you can spin things up and throw them away. You can quickly make decisions and changes, so you’re not committing to one decision for five years,” he said. That’s important, given the rapidly shifting cyber threat landscape. “If you go down a path and you don’t like it, or you don’t like that particular implementation, you can change it, you can evolve it,” he said.
The cloud also allows for the fine level of control that’s needed in a zero-trust environment. “We have very granular APIs and identities,” he said. “Just because we have two different services, they don’t automatically get permissions for access to each other. You have to explicitly grant permission so that computers can talk to storage.”
This granularity empowers agencies to define and enforce the role-based parameters that stand at the heart of the zero trust concept. In addition, AWS partners with a range of other solution providers to layer on additional tools and capabilities in support of zero trust. “There’s a lot of services that can be used both in cloud, as well as across existing data centers in the cloud environment. That’s where we help accelerate that journey,” Phuphanich said.
4. Embed Security Into the Operations
Hewlett Packard Enterprise takes a platform approach to zero trust. Its Project Aurora offers an embedded security platform to protect infrastructure, operating systems, software and workloads continuously and automatically.
A platform-based solution can automatically detect threats and reduce risk, without the use of signatures or other performance trade-offs. “For customers who wish to burst and consume cloud resources, cloud compute … we will give you the content” securely and safely, said Chris Tinker, distinguished technologist at HPE.
A capable vendor can help to align zero-trust solutions with agency governance, he said — for example, by ensuring a cyber-resilient supply chain. In the big picture, government’s approach to zero trust needs to support tight security without impacting mission outcomes. “You have got to balance unfettered access against locking it down so tight” that systems become unusable, he said. Remote work highlights this need, pushing agencies to find ways to keep people connected without exposing data or systems to undue risk.
To strike that balance, government should be working in close collaboration with industry. “Don’t try to do it in a bubble,” Tinker said. “Reach out to industry partners. We do it every day.” It helps, too, to define upfront the desired end state for a zero-trust effort. “What does that look like? I understand the governance and compliance. Now, how are you going to operate that environment? How are you going to run that environment?” he said. “Industry is here to be a partner and to accelerate those outcomes.”
Thanks to our sponsors for this online training: