The recent Executive Order on Cybersecurity is “fundamentally game-changing,” said Amy Hamilton, senior cybersecurity adviser for policy and programs at the U.S. Department of Energy, at a recent GovLoop online training. She pointed to presidential memos, OMB guidance and a laundry list of requirements related to zero trust.
These requirements, along with some high-profile cyber incidents, all highlight the urgent need for improvement. In this light, zero-trust adoption means “changing your entire framework … and really moving away from that legacy mindset into an entirely new paradigm,” she said. “It’s time for us to move ahead with a new model.”
The historic moat-and-castle approach is no longer sufficient. “That’s been around since the ancient Egyptians,” she said. “The moat and castle works for the kings and queens and the rich people who live inside. But what happens to all the poor people on the outside?”
Pre-COVID, that perimeter-based model still functioned well enough most of the time, but it was already on its way out. The pandemic shift to remote connectivity sounded the death knell. “The castle is gone,” Hamilton said. “So now what do we do now? We have to look at: What is that new paradigm?”
In the current environment, there’s no perimeter. Defense is more like a “force field,” she said, surrounding key assets and adapting to changes as they happen.
Here is how Hamilton sees a new environment taking shape.
An emphasis on automation: To achieve that end state, IT leaders need to “bring in all the modern technology that you can,” she said. “You want to bring in machine learning. You want to bring in [artificial intelligence]. You want to bring in automation, and you want it to be smart and able to react to your threat environment.”
Security behind the scenes: In this scenario, cyber defense “is happening dynamically, in the background, based on the threats and based on the intelligence,” she said. Success means “recognizing the different threats that are out there, and if you have this setup dynamically, then what you can do is adjust it so that when people are starting to probe into your network, you’re able to go ahead and respond accordingly.”
The need for governance: It also requires a more deliberate focus not just on networks and devices, but especially on applications and data. “One of the most important things we’re not doing is governance. We absolutely have to get the governance right,” she said. “If we don’t start talking to each other about the governance models, we’re going to continue to fail, because even though we’re implementing [zero trust], we’re not going to be implementing it together.”
That focus on togetherness is a key means of driving success in a zero-trust architecture (ZTA). “We really need to make sure that we’re approaching ZTA from a holistic approach,” she said. That means thinking about things like cloud adoption and the supply chain, ensuring those processes fall under the ZTA umbrella.
Workforce considerations also play a major role. “Do I have a trained workforce? Do they understand things?” she said. In the move to a ZTA-based approach, “you’re talking about having to fundamentally shift your brain.”
This article is an excerpt from GovLoop’s virtual training e-book “How to Put Zero Trust to Work.”