Nick Ward, Chief Information Security Officer at the Department of Justice (DoJ), said the agency is proceeding “full steam ahead” on efforts to explore adoption of zero trust security models, with the more distributed nature of DoJ’s workforce in the coronavirus pandemic providing impetus to that effort.
Speaking on a May 20 webinar produced by MeriTalk and identity and access management technologies provider Okta, Ward said DoJ is “still early in what I would call a zero trust strategy.”
“There are a lot of elements of what zero trust is . . . but I definitely believe in the idea that controlling access directly to your applications, securing those connections directly, and not depending on network providers to do that is key to truly securing our data and our applications,” Ward said. “So we’re moving full steam ahead.”
Kelsey Nelson, Product Marketing Manager at Okta, agreed, saying the core intent of zero trust is “really about how do we apply the same strong security controls regardless of where the user is,” and “not making network control so primary in our security decisions.”
Pandemic Provides Impetus
Ward said the COVID-19 pandemic has highlighted the need to move toward a zero trust model because of the sharp increase in telework by DoJ’s workforce, and how that affects network attack surfaces through the addition of mobile and other endpoints.
On the massive turn to telework in March, the CISO said, “Most of our employees are set up to be able to be remote, but in reality even during a major snow storm or something like that we only really see maybe 25 percent or less of our workforce concurrently connecting into our VPNs. Now we’re closer to 100 percent, and we’ve definitely seen the impact of that.”
“Fortunately for us, it’s actually going really well. We started planning well ahead, we could forecast that there was probably going to be some remote work. And we started working out how to address that right away to include adding bandwidth dedicated to our VPN, for instance,” he said.
“Distributed work is going to persist in some form for the future, if anything, just to be able to scale up and down as, as things change,” said Nelson. She talked about near and longer term priorities including zero trust and “alternatives that we may be able to use to reduce that reliance on a VPN so that we can still deliver the same strong access without focusing so particularly on that.”
Authentication is Key
“In order to have zero trust you have to have strong authentication,” Ward said. “You need to know who your people are, you need to know how to give them access. If you don’t have that, it’s really difficult to do real zero trust because how are you going to grant access to these applications especially when connections can be coming from anywhere in the world. Your solution has to be very flexible.”
“One of the first things . . . is really having a flexible authentication framework, he said. “It’s really going to be the foundation for many of the other things that we would want to do. . . . You’re going to have to have an authentication framework and identity framework that you can actually extend to all the different types of applications that that you might need to consume.”
Ward said the pandemic has led to fast adoption of cloud services, which may also come with different formats for security services and increase complexity for security teams. “So one of the things that we look at is, and why we look at zero trust, is how can we really get a strong authentication solution that lets us be able to access all these different types of service in a common way,” he said.
Role of TIC 3.0
Ward said he sees “a lot of synergy with TIC 3.0” and how Trusted Internet Connections 3.0 use-cases map to zero trust. “I think they align pretty well, in reality, and one of the things that we’re doing is putting together a lot of the building blocks to be able to test things.”
“As we are deploying zero trust capabilities for a TIC 3.0 pilot . . . and really building out continuous evaluation of those use cases so we can we know how well we can defend against threats that we’re concerned about . . . I can hopefully have some level of proof,” Ward said, adding, so “we actually understand the techniques and tactics that we’ll use.”
“That’s really some of the things that we’re trying to lay down now is making sure we can evaluate how all of these different things function. Not simply just going where the wind blows and implementing things sound nice. We want to know that they work,” he said.