Implementing zero trust security architectures promises a wealth of benefits, but government agencies can only realize them if they’ve taken the necessary foundational steps, a Pentagon cybersecurity expert said on Thursday.
“You can’t get to many of the value propositions until you get pretty far along down your maturity path towards implementing zero trust,” said Brian G. Hermann, Ph.D., director and program executive officer for the Defense Information Systems Agency’s (DISA) Program Executive Office Cyber, during a Feb. 6 ATARC webinar.
“Many benefits that you can get out of zero trust … can’t be achieved until you’ve done all of the things to make sure that you protect it, to get past the technical debt and any other problems that you have to address,” he said.
According to Hermann, a good place to start – especially for agencies within the Defense Department (DoD) – is “adopting zero trust principles [in] the network pillar.”
“Part of the reason is because we have legacy technology and we have tech debt that we have to get after, but it also allows us to encapsulate things so that we can then get after all those other things,” Hermann said. “For me, that just seems like a logical starting place.”
However, it’s certainly not the end point where agencies need to be, Hermann emphasized.
“Every step matters … and getting to the point of having less trust means that you just have to start somewhere,” Hermann said. He added that because zero trust is a journey “don’t feel paralyzed … because of the maturity of your organization. Take a step, check off one thing in one of those pillars, and check off another thing in a different pillar. And make some forward progress.”
Hermann also advised that while each journey in achieving zero trust is unique to individual agencies, communication with partners and stakeholders is key.
“Everybody that’s any distance down the path of zero trust [can] share the things that have worked well for them and the things that have worked poorly. Communicate with those folks, talk to them about why they’re adopting the identity capabilities and things that you need as well,” he said.
“There’s a lot of work that has to happen, but if we only talk to ourselves, we lose an understanding of what the value proposition is for the kind of security that we’re providing,” he said.
