An interview with Jeff Brown, Chief Information Security Officer, Connecticut
In the old days, government cybersecurity depended on network perimeters protecting agencies’ data and other resources.
But the new days are making this strategy seem outdated. The more government employees work remotely, the more porous agencies’ network perimeters become. Furthermore, more sensitive information about constituents is exposed than ever. These concerns mean agencies must rethink cybersecurity or risk threats breaching their network perimeters.
According to Connecticut CISO Jeff Brown, zero trust security might help. Zero trust security distrusts everything outside or inside organizations’ network perimeters. Agencies can prevent cybersecurity incidents by verifying that everyone and everything asking for access to their assets deserves it.
GovLoop spoke with Brown about how zero trust security can benefit governments like Connecticut’s.
This interview has been lightly edited for brevity and clarity.
GOVLOOP: How does zero trust security work?
BROWN: A lot of people get confused about zero trust. It is to some extent a marketing term. Zero trust as a concept is relatively straightforward. You literally don’t trust anybody, including your own people. It is trust but verify. It starts out with strong authentication and what people can do once they’re in.
There’s no one technology you deploy and it’s zero trust. It is a host of technologies and a way of thinking.
Too many people have been focused on the perimeter – keep the bad guys out there and we’re in here. As we move towards a remote world where employees may be working from all over the place, you can’t take that perimeter-based view anymore. You need to look for insider threats from employees and people who have broken into the network. It’s not just employees. It’s anyone who is on the network. You don’t take anything for granted. You must verify everything every step of the way.
Why is zero trust security valuable?
The government has a lot of control over lots of different things. We must be able to be trusted. We have sensitive data on citizens and we need to make sure that we’re protecting that.
If somebody hacked the governor’s emails and was able to send messages as him, that’s not a good thing by any measure. Fortunately, a lot of these attacks are clunky and obvious. But that’s going to change over time. People are getting more sophisticated in the types of attacks that they do. Our job is to make sure that these attacks are not practical to carry out. We basically push the attackers elsewhere.
Multi-factor authentication is a component of zero trust. It means I’m not getting in with just the username and password. Whether it is a SMS [short message service] text on your phone or an authenticator app, there’s that second level. If you don’t deploy anything for zero trust, multi-factor all by itself is a good security control.
What are some best practices you’d recommend for implementing and actively practicing zero trust security?
Zero trust means zero trust. We’re monitoring your internal systems. To an extent, we are monitoring what individuals are doing. That’s not to say we’re Big Brother. We’re not monitoring the keystrokes of every user in the state or anything like that.
For the agencies, multi-factor is a huge one. We’ve seen time and time again accounts get compromised because they had a bad username and password. If that’s the only thing protecting a system, that’s not enough.
The bottom line is we know people create bad passwords. That’s a given. You can increase awareness about how to create good passwords, and you certainly want to try that. In many cases, people will just figure out ways around complexity requirements to get an easy to remember password versus a secure and strong password. You want to encourage people to have unique passwords for every single site. At some point you need to give them a secure method of being able to remember all these passwords.
By far the No. 1 thing is making sure all your systems are patched and up to date. Sadly, a lot of attacks have come through known vulnerabilities that haven’t been patched. It is what I’d call a clean air, fresh-water activity. It is something so basic and fundamental to what we do.
Make sure things are up to date and not at the end of their life. A lot of people keep servers well beyond their service life and they stop receiving security patches. That’s something you need to keep in mind.
Authorization is about now that I know who you are, what can you do? That level of authorization is important. Especially in the states, some people spend 30 or 40 years bouncing around different agencies. You must make sure the access people had in previous roles has changed. When you start a new role, you should lose your old access and start fresh. That’s something that doesn’t always happen.
This article is an excerpt from GovLoop’s recent guide, “Conversations With CXOs: Your Crash Course on the Future of Gov.” Download the full guide here.