Matt Singleton vividly remembers Saint Patrick’s Day 2020. Not exactly for the celebratory reasons you’d expect but for the massive challenge that confronted him.
“I got a call that said, ‘Hey, we’re sending the entire workforce home, and you’ve got to make them productive now,” said Singleton, who serves as Oklahoma’s Chief Information Security Officer. “And so in the span of a couple of weeks, we had to figure out how to do that securely.”
Looking back, that herculean task humanized a cybersecurity model — known as zero trust — in a way that no memo, policy document or buzzword pitch could ever do. Singleton recalled at one point being asked by a member of the c-suite if they could give employees administrative rights to their PCs. Yes, you read that correctly.
“That is almost the exact opposite of zero trust,” Singleton said during GovLoop’s recent online training. “After I picked myself up [off] the floor, I said, ‘That’s probably not the right thing to do; let’s start talking through what it is you’re trying to accomplish.”
That conversation led to the state rolling out privileged access management solutions, which help organizations add a layer of security between users and the privileged accounts they have access to. That work led to discussions about employing multi-factor authentication, which establishes multiple ways for users to verify their identity when accessing an account or making changes. For many government employees, that means using an ID card along with a password to access a government computer. These are all solutions that support a zero-trust strategy.
“There are a ton of tools that you pull in when you are talking about zero trust,” Singleton said. “It is really going to be what makes the most sense for individual organizations based on current toolsets and maturity in those toolsets. Identity is the cornerstone.”
Part of what makes zero trust a tough concept to grasp is that it isn’t one thing or tool, and there isn’t one guidebook on what it looks like in practice, said Robert Costello, Chief Information Officer at the Cybersecurity and Infrastructure Security Agency (CISA).
In its zero-trust maturity model document, CISA describes zero trust as a collection of concepts and ideas designed to minimize uncertainty when enforcing practices that ensure the right people have the right level of access to agency networks and resources. Agencies that embrace this way of operating do so from the assumption that the network is compromised, which means there must be constant checks and balances to ensure that anyone or anything operating on the network is valid.
“The most important thing for me is that you see more segmentation,” Costello said. In other words, if someone gets into the network, segmentation, or security checkpoints, reduce the chances that they’ll be able to move about freely and exfiltrate a lot of data.
Zero Trust Use Cases that Center People
It can be easy to get lost in the alphabet soup of technical terms and acronyms when it comes to zero trust, which is why human-centered language and clarity around how it impacts employees matters.
Take single sign-on (SSO), for example. This method is used to simplify the login process for users by allowing them to access multiple applications with one set of credentials. For employees, that means no more hassle of trying to remember multiple passwords for different workplace applications, fewer headaches and help desk tickets because of expired/forgotten passwords, and a better login experience for remote and on-site employees. The federal government’s Login.gov platform extends these same secure benefits to the public to ease and streamline online interactions with agencies.
Adrian Monza, a Senior Solutions Architect at Amazon Web Services (AWS), shared one example where employees became the biggest proponents of single sign-on. They went to the application development team and questioned why more apps weren’t taking advantage of SSO. Why? Because they were direct recipients of what happens when technology simplifies the user experience while also making it more secure. And because SSO centralizes access to agency applications and underlying data, it simplifies the offboarding process by making it easier to terminate an employee’s access to multiple agency applications.
Costello highlighted the potential synergy across federal initiatives such as Trusted Workforce 2.0, a governmentwide approach to reform the personnel security process and establish a single vetting system, as well as insider threat programs and how they can feed into the continuous vetting model that zero trust supports.
Keep It Simple
Simplifying security sounds like an oxymoron. But even in all its complexity, that is the end goal of zero trust. One way to think of it is that federal agencies are now being required to treat each of their workloads as if they were internet accessible, Monza said.
What are the gaps between how they secure internal versus external-facing workloads and what must be done to provide uniformity and elevate security? That could mean revisiting standards for patching internal and external systems.
“It is very easy to get overwhelmed by the magnitude of how much work there is,” Monza said. “The easiest way to get started is to just get started.”
AWS is among the ecosystem of industry partners providing low- and no-cost services to help organizations on their zero journeys, whether that’s micro-segmentation, which we touched on earlier, or encrypting data. Key to that effort is the AWS Marketplace, a curated, digital catalog that helps customers find, subscribe to, deploy and govern third-party software, data and services.
“We consider it to be our Amazon Prime for software,” said Maria Thompson SLG Leader, Cybersecurity at AWS and former chief risk and security officer for the state of North Carolina.
Thompson knows firsthand the frustrations and urgency of needing to procure secure software services. Federal agencies are working under a zero-trust mandate with deadlines attached to it, and they can’t afford to wait months for procurement cycles, she said. She expects that more state and local governments will also adopt a zero-trust model.
“You are not alone,” she said of government agencies. “We are all on this journey, this pathway of learning zero trust and figuring out what makes sense.”
This online training was brought to you by: