One of the key components to successfully adopting zero trust is communication.
The U.S. Customs and Border Protection (CBP) has already been taking steps toward implementing zero trust in some areas, and the agency will likely see more movement over the next few years, said Bob Costello, Executive Director of CBP’s Office of Information Technology’s Enterprise Networks and Technology.
“We want to move to the eventual place where we trust nothing on our network,” Costello said at GovLoop’s online training Thursday.
According to the National Institute of Standards and Technology, “zero trust assumes there is no implicit trust granted to user accounts based solely on their physical or network location (i.e., local area networks versus the internet).” Generally, it places the security risk on the user and not the device. It has taken over perimeter defense, which only protects users and devices in a static environment, as the preferred way to protect systems and data. (Here’s a GovLoop explainer video that breaks down zero trust in plain language.)
In part, the evolution of zero trust addresses human error. Human error is unavoidable, but sometimes, these mistakes can be catastrophic. In 2013, after someone clicked on a phishing email, information from 40 million credit and debit cards were stolen from the retail corporation Target.
“This was not a system that was not patched. The attack vector here was a person. A person opened an email they shouldn’t have [opened] and lo and behold, the system was infected,” said Jose Arvelo, Lead Sales Engineer at Citrix Systems, Inc.
A phishing email like that in the federal government can have even farther-reaching impacts.
“When we make a mistake, it can drastically affect the economy,” Costello said. “It can slow down processing at an international airport and can disembark flights at JFK [John F. Kennedy International Airport]. That’s unacceptable.”
That’s why it’s critical to perform substantial testing, establish an effective rollout and rollback strategy, and plan a good communication strategy to adopt zero trust, Costello said.
Part of that communication strategy is to inform personnel on the security changes that accompany a methodology shift. For instance, Citrix, a software provider, offers a capability that produces a risk profile of users across a system. Organizations that opt in have better visibility into managing a zero-trust environment. It helps establish zero-trust security in a sophisticated and sprawling IT environment. But the risk profiles could touch a nerve for some folks.
“People do have a lot of sensitivities about receiving a risk score. It’s very different from attaching a risk score to a laptop. We have to manage that effectively and explain things very well,” Costello said.
Zero trust is not just a simple security solution, but a complex philosophy that tries to improve cyber defenses. In the midst of complexity, it is key to communicate the changes to the people it will affect.
“Zero trust is not one or two solutions,” Costello said. “It’s how you get a bunch of things working together, including changing the training and mindsets of human operators that run our systems.”
This online training was brought to you by: