The General Services Administration (GSA) was an early adopter of zero trust security architecture, and Chief Information Officer (CIO) David Shive said this week that the next step for the agency is to focus on application-level security.
At the Zscaler Public Sector Summit in Washington, D.C. on March 8, Shive explained how the agency has made great progress in its zero trust journey – which started back in 2016. GSA has tackled the Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust pillars such as identity, device, and network, but the next piece of the puzzle is application security.
“We’ve made a lot of headway in our zero trust implementation, based on a strategy that we developed initially and then informed by really great work coming out of CISA,” Shive said. “We’re tackling the next big challenge, which is application-level security.”
“Having users authenticate in and have continual authentication is great work, but having them get access to their data into the applications on that same continual way – and having the applications know to check for that – that’s a much more difficult challenge,” he added.
The CIO was joined by GSA’s Chief Information Security Officer (CISO) Bo Berlas, who dived deeper into the topic of application security.
“Application security – it makes me so happy for us to be able to actually talk about this because, of the five zero trust pillars, data and applications are really fundamental,” the CISO said. “And in our journey, we focused around the first, what we believe are foundational layers, particularly around devices, users, and networks – and applications and data are really what’s next.”
Berlas explained that GSA has aligned to the Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”) framework, which is “focused around building in application security from the start.”
Additionally, he noted that while GSA has micro-segmentation for users, devices, containers for workloads, running in the cloud, etc. – the agency has a gap when it comes to micro-segmentation within the data center itself.
“We’re looking to go through and actually ensure that the same level of micro-segmentation that we’re doing – ensuring that an application can only talk to its database, can only talk to its related web server – those are actually being defined, understood, and limited based on micro-segmentation rule sets,” he said.