Gerald Caron, CIO and assistant inspector general for information technology at the Department of Health and Human Services (HHS) Office of the Inspector General (OIG), said today he wants Federal agencies to move away from looking at zero trust as a checklist and instead focus on its practical effectiveness to prevent cyberattacks.
At the ServiceNow Federal Forum 2022, Caron said he feels the Federal government has a history of being “very compliance-focused” and needs to shift to a mindset of effectiveness when it comes to implementing zero trust, as directed by President Biden’s cybersecurity executive order (EO) issued in May 2021.
“There’s a big difference between effectiveness and compliance,” Caron said at the event. “And I think that’s kind of what the executive order is pushing us towards. I mean, the way it’s titled kind of says it right, is we got to be more effective.”
Going forward, Caron said agencies should be concerned with measuring the effectiveness of zero trust. The first step in doing that, according to Caron, is to focus on the agency’s data.
“First is understanding what the data is, and one of the things that we’re going to be doing is going to identify a data source. We’re going to understand the baseline of where that data is going,” Caron said. “Where’s that data flowing? I got to know what normal looks like before I can say, ‘Is that normal?’ So, really got to understand that baseline.”
“At the end of the day, you got to think about what it is that you’re protecting, and you’re trying to protect the data,” Caron said. He explained that “we want to move toward effectiveness” and “we want to move things closer to the data and the things that we’re protecting.”
Caron compared zero trust to going to the movie theater and explained how at the movie theater, they only scan your ticket in the lobby. However, if an agency wants to move its boundaries closer to the data, Caron said a one-time verification is not enough.
“In zero trust they should be scanning my ticket at each movie door because I bought a ticket to go see the regular but, hey, the IMAX is going in five minutes, I’m just going to slip in there. Well, there’s no ticket taker at that door and there’s no ushers coming to check,” Caron said. “You got to constantly check. So, that’s ongoing authentication, ongoing access, and there’s a bunch of factors that you have to constantly check.”
While Caron believes the EO is practical for agencies to adhere to in adopting zero trust, he also said there is a lot more education needed around “what it really means.”
“A lot of people are still asking, ‘Where do I get started?’” Caron said. “There are some definite things that we’re being asked to do in the memo, but there’s still a lot to do around zero trust.”
Caron said he recommends agencies, as well as vendors, get started by taking inventory of their tech to understand where the gaps are.
“What I did internally is, even if it’s a security tool or not, what are all the technologies that I have at my fingertips without making another investment? … doing that inventory, so I know what I can take advantage of with the concepts of zero trust,” Caron explained. “And then I understand where my gaps are, where I have to mature, and where my gaps are.”
In taking this approach, Caron said it is “TBD” whether or not HHS will meet expectations around the timeline for zero trust implementation.
“That will be kind of a TBD until I kind of get a little bit more; I got to uncover some of the maturity as kind of a self-assessment. But you know, it’s like peeling back an onion,” Caron said. “There’s so much to this. There’s so much integration that we need to do. But you know, my thing is … if I take one step forward, that’s better than taking no steps at all. So, if I can get 10 percent forward, I’m making progress.”
