The U.S. Army Corps of Engineers needs to ensure the safety of critical infrastructure such as dams and waterways. That means looking at zero trust through an operational lens, and also understanding its impact on individuals.
“As we begin to look at zero trust, we begin to look at our end user,” said the Corps’ CIO, Dovarius Peoples. “How do we enable the end user to operate in a secure manner?” Peoples identified three key issues the Corps is addressing.
Across the Corps’ diverse missions, data is the key ingredient, and making that data both accessible and secure is the “ultimate goal” of the zero-trust effort, he said. “Through leveraging zero-trust principles,
we’re looking to … share access to data in a secure manner. That’s really what we’re beginning to look at.”
The Corps isn’t just worried about locking down its data, but also making the data available — in appropriate ways. In disaster relief, for instance, “we actually are required to share data with external civilian agency customers and partners,” he said. “Our goal is to enable all users that need access to the data … to access it in a more secure manner.”
That starts with understanding who is accessing the data and why, especially when it comes to critical, high-value data. IT is tasked with “defining who needs it, defining what that access is and the security of the systems that we are trying to protect,” he said.
With those definitions in place, zero trust comes into play as the means to ensure secure connectivity. “As we work in a remote environment, you have users trying to connect to different data stores,” Peoples
said. “Zero trust allows you to be able to implement, as well as access, a lot of that data in a more secure manner, regardless of where it is that you’re coming from.”
Agencies can put zero trust to work “by identifying who needs access, identify what they’re accessing and then [giving] them their own specific swim lane,” he said.
Looking Beyond IT
Within the Corps, this extends beyond the conventional IT network, to embrace the
data that resides in the realm of operational technology, or OT, such as industrial control systems. To that end, the Corps has stood up an OT center of excellence supported by the critical-infrastructure team. Through that center, the Corps has developed a zero-trust playbook, specifically in support of OT needs. “We’re beginning to see how you implement zero trust to protect your levee, your critical waterways
and infrastructure to allow the nation … to operate efficiently and effectively,” Peoples said. He cited this as a practical example of how “we are taking zero-trust principles, deploying them and implementing them in an operational construct.”
One key to success is to attend to the human aspects of a zero-trust evolution. This is about
“the transformation of our professionals,” he said. “We have to make sure they’re trained, ensuring that they have the ability to operate efficiently and effectively.”
For the Corps, this includes embracing online, in-person and peer-to-peer learning opportunities. “We’re taking advantage of all aspects of training,” he said.