Faced with evolving technologies, increased use of hybrid cloud infrastructures, and the continuing need to provide widescale telework capabilities, all Federal agencies should be looking at migrating to zero trust security concepts, experts from two agencies said this week.
“Agencies are moving in this direction because they have to,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA), during an FCW webinar on Tuesday. “This environment calls for and needs a new approach for security, and zero trust architectures are going to be critical for helping [agencies].”
Over the past year, zero trust has grown in popularity, and 44 Federal agencies have now dedicated teams to research or start implementing zero trust.
The experts agreed that if agencies had implemented zero trust before the COVID-19 pandemic forced employees into remote work, the shift to telework would have been a “nonevent” from a security perspective.
Steven Hernandez, chief information security officer (CISO) at the Department of Education, stressed that zero trust is a journey and a longer-term strategy, not something agencies can implement “overnight.”
“For most agencies, the best places to start are around identity, and then also looking at what capabilities you might have in the control plane. Those two first, because if you don’t know who’s coming in, you can’t get a level of assurance around them,” Hernandez said.
Additionally, Wales noted that programs such as the Continuous Diagnostics and Mitigation (CDM) Program will be “essential” to implementing zero trust. CDM is helping agencies accelerate the move to zero trust and provides increased network monitoring abilities, he said.