While zero trust may be the latest buzzword in cybersecurity, the security principles behind a zero trust architecture aren’t new. Adoption across the Federal government has been slow as agencies deal with legacy systems, budget issues, competing priorities, and a shortage of security experts.
President Biden’s recent cybersecurity executive order outlined the actions Federal agencies should take to move towards a more secure government. Implementation of zero trust architecture is central among these actions. With recent large-scale cyber events like the Colonial Pipeline ransomware attack, it’s become imperative for Federal technology teams to evolve their security protocols so they don’t have a similar incident, which could put national security at risk and do irreparable damage to public trust.
Cultivating a secure Federal environment requires consistent maintenance, modernization, and optimization. MeriTalk recently connected with Glen Pendley, deputy chief technology officer at Tenable, which helps Federal agencies and private sector organizations around the world understand and reduce their cybersecurity risk, to explore how zero trust principles can shape a new era for Federal cybersecurity.
MeriTalk: The principles of zero trust have been around for a long time in government, although they weren’t known by that name until recently. How have recent modernization efforts helped push zero trust into the spotlight?
Glen Pendley: The concept of zero trust has been around for a few decades, but implementing it hasn’t been a priority. Zero trust involves a paradigm shift in how security teams secure networks. Long-standing security protocols center around a secure perimeter and trust – anyone who is granted permission to get through the perimeter is trusted to move freely around the network. With zero trust, nobody is trusted, even when they have cleared the perimeter. Users are assigned roles and can only access areas of the network allowed by their roles. Zero trust integrates security throughout the network, not just at the perimeter, mitigating risk of widespread damage and lateral movement if a bad actor breaks through perimeter security barriers.
With digital transformation, the push to modernize legacy systems, and COVID-19 shifting where people work and where they access Federal networks, the need to implement zero trust principles became very apparent. Recent large-scale cyberattacks, where entire networks have been brought down by bad actors that have cleared the perimeter, have reinforced the need. Agencies are now actively trying to apply the zero trust philosophy.
At the end of the day, it comes down to modernization. More and more people are realizing that the same old security methods just aren’t working. They’re looking to change.
MeriTalk: NIST advises agencies to view zero trust as an evolution of their current cybersecurity strategies. What recommendations do you have for Federal agencies that are just beginning the journey to zero trust?
Pendley: There’s a huge misconception that zero trust is a “thing” that can be purchased and implemented as a one-time exercise to create a secure environment. Zero trust is a philosophy, and that’s the most important thing for Federal agencies to realize. It’s a journey without an end. Embracing a zero trust philosophy will guide security decisions for the long term.
Once zero trust is viewed in that light, agencies can take a holistic approach to securing their environments, creating a roadmap based on their unique security needs. Typically, this starts with visibility into their systems. NIST lays this out really well in its guidance.
For agencies just starting out, the first step is to identify the systems and data that comprise their environment, the roles and responsibilities of the people touching those systems, and where cybersecurity vulnerabilities may arise. Based on that, they can develop a clear security plan by quantifying what their mission critical systems are, then developing and implementing privileged access to those systems. It’s truly a step-by-step process, just like learning how to walk before you learn how to run. Agencies need to do the basics before anything else.
MeriTalk: You talk about building a plan. However, conversations around zero trust tend to focus on the technology solutions – is that putting the cart before the horse?
Pendley: It is. New and shiny tools will always be coming on the market, but there’s no silver bullet to zero trust. Say I’m the CISO of a Federal agency, and I see that Biden’s cyber EO has come out. I could be tempted to think that because zero trust is something my agency needs to implement, I’m going to pick up the phone and call a vendor for a tool. While this may chip away at some security vulnerabilities, it won’t fully achieve a zero trust architecture.
A comprehensive approach starts with good basic hygiene – understanding the unique needs of the agency, prioritizing what’s important, and then picking the right vendors to support those priorities. Organizations must understand what they have, and put together an action plan based on that understanding to chart a path forward with building and maintaining a zero trust architecture.
MeriTalk: What are some potential pitfalls for agencies to avoid on their path to zero trust?
Pendley: The challenges I see aren’t necessarily related to the technology – they’re related to the mindset of zero trust. We say zero trust is a journey, but it’s one without a destination. Agencies will have to continually audit, especially when it comes to identities and access. Even if an organization did a perfect job of auditing – which is never possible but let’s pretend it is – the next day, everything can change. New users will come in and old ones will exit. The system is like a living, breathing organism that needs constant attention in the form of auditing.
Active Directory is a perfect example. Active Directory is so critical to the environment that in almost every major breach over the last several months, including the SolarWinds hack, it was the first thing attackers targeted in order to move laterally within the system. Active Directory verifies credentials and defines user access rights. If Active Directory isn’t audited and maintained, a bad actor could be cleared and verified using stolen or old credentials. If a zero trust architecture isn’t in place, once that bad actor has been verified, they are free to move about the entire network.
The world today moves so quickly, and agencies have to prepare themselves to keep pace with changes and demands. It’s something that’s never been asked of these organizations before.
MeriTalk: Let’s dive into Tenable specifically, and your approach to zero trust with Federal agencies. What do you offer to agencies that would help them on their zero trust journey?
Pendley: Our approach to security mirrors NIST guidance when it comes to visibility. We offer agencies visibility into their environment and the ability to leverage that understanding to build layers of security throughout.
In Federal agencies there’s a lot of moving parts, huge amounts of data, and many people accessing the network. It’s easy for a mistake to be made. Tenable works with administrators to give them insight into who is accessing the network and what they are doing when they are in the network. That all ties back to good hygiene and the first step of implementing zero trust – gaining visibility into the systems, which is our specialty.
MeriTalk: What advice do you have for Federal technology leaders who are ready to implement zero trust across their networks?
Pendley: Zero trust is a new way to secure your environment. The perimeter model has been the security standard, where we all were worried about the people on the outside. Now, every single one of us is our own perimeter, especially with remote work. Zero trust is equipped to secure the whole network while enabling these hundreds of thousands of separate individuals and connections to do the jobs they need to do to achieve the mission – nothing more and nothing less.
That shift takes buy-in from people throughout the agency, including end users, stakeholders, and leadership. The whole agency philosophically has to buy into the zero trust approach for it to work. It won’t happen overnight. It is bigger than just you and your team. It’s more than one product or one solution.
Be persistent in your drive to modernize, because if you continue to do what has historically always been done – you’ll be the one in the news.