GSA Makes the Move to Zero Trust

The need for cybersecurity has been around since the 1970s, a result of the 1969 release of the Defense Department’s (DoD) Advanced Research Projects Agency Network, and has grown in importance and urgency along with technological advancements. Today, cybersecurity consistently ranks as a top concern for all levels of government and is considered a perennial challenge. Several agencies are devoted to addressing it, including the Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), National Security Agency, and FBI. The Biden administration’s fiscal 2023 budget included $10.9 billion for civilian cybersecurity funding alone — up 11% from 2022.

Cybersecurity approaches — and threats — evolve. While initial efforts sought to protect the perimeter, today the emphasis is on zero trust, an approach that treats all networks and traffic as potential threats. A zero-trust architecture (ZTA) “helps agencies build zero-trust principles into industrial and enterprise infrastructure and workflows,” according to the General Services Administration (GSA).

Have a Detailed Plan

Like most agencies, GSA has had a traditional networking model focused on the perimeter, meaning that anything inside it was trustworthy. With funding from a Technology Modernization Fund (TMF) grant it won in October 2021, the agency is shifting to ZTA.

Bo Berlas, Chief Information Security Officer at GSA, described some of the initiatives during a recent GovLoop training:

  • Aligning user authentications to a new identity, credential and access management architecture
  • Implementing application-to-application microsegmentation at data centers, which moves away from traditional IT-based networking to intent-based routing. That uses artificial intelligence (AI), analytics and network orchestration to automate administrative tasks and improve network operations.
  • Implementing secure access service edge (SASE) technology
  • Implementing a cloud-based single sign-on

“We have a clear vision and a detailed plan that is really focused around executing against a set of challenges that we have,” Berlas said. “And that is perhaps one of the biggest things in my mind — making sure that you actually have an integrated strategy that is aligned with the set of threats that we face as an agency, relevant to our mission, and as a government.”

Ease Into Change

ZTA isn’t plug-and-play cybersecurity. It’s a monumental shift in how agencies handle cyber, and with change come growing pains.

“Zero trust itself is not an IT project, it’s not a security project,” Berlas said. “It really does require all of us to work together to be able to fundamentally use a set of changes that are cultural in nature, organizational in nature.”

One change management approach he uses is implementing technologies incrementally with small groups before expanding to more users. That requires active participation by agency employees, including reading communications about changes and taking training offerings, Berlas said. “Limiting privileges is what is needed to really perform one’s job functions,” he said. “It’s about providing the right access at the right time, and it doesn’t mean that we are inherently not trusting of our staff.”

What big wins are bolstering zero trust at GSA?

“We started actively working on this in February 2022. Today about 98% of our users no longer connect over VPN; they’re directly connecting over SASE technology. We’ve facilitated direct migration of 30 to 40 buildings toward this microsegmentation model for more readily securing operational technology and the Internet of Things,” Berlas said “How we develop and manage and access applications today, for our own users, our business partners in government, members of the public that we serve, is about ensuring that regardless of who you are, you have a seamless zero trust-based access model to be able to interact with your government. Zero trust presents an opportunity, and it’s the pivot that is fundamental and necessary to allow us to meet the challenges that we have as an organization.”

This article appeared in slightly different form in our guide: Innovations 2022: Conversations That Matter. For more insights, download the guide:

Leave a Comment

Leave a comment

Leave a Reply