The government’s move to zero trust security is picking up speed, with Federal agencies facing an Office of Management and Budget deadline to meet specific zero trust goals by the end of fiscal year 2024. Peter Romness specializes in just this type of situation: the cybersecurity principal in the CISO Advisor’s Office at Cisco Systems has been helping government customers achieve their missions for nearly 35 years. In a recent interview with MeriTalk, Romness offered expert tips to agencies on how they can make faster progress – often with existing tools – in boosting cybersecurity and meeting the Federal mandates.
MeriTalk: How would you assess the progress Federal agencies are making in moving to zero trust architectures? What differentiates the agencies that are further along?
Romness: I think most agencies have developed a zero trust roadmap. The question is how far down the road they are. The good news is that pretty much everybody in government has bought into zero trust and can see its value. They also appreciate having the directive because it gives them cover from above as they push to get things done.
Budget is a common driver that determines how fast agencies can move. Focus from the IT team and management are also drivers. But I think the biggest driver is complexity. Zero trust is fairly easy to understand, but it’s not easy to implement in a large, complex environment. Complexity can be related to agency size, but that’s not the only factor. A very small agency could have tons of devices, for example, whereas a large one may just have one device per person. The design of the legacy network can also help or hinder zero trust implementation.
MeriTalk: The National Institute of Standards and Technology (NIST) says zero trust begins with a survey of assets, subjects, data flows, and workflows. What challenges have agencies faced as they conduct an initial survey and keep it up to date?
Romness: This survey is essential because you can’t protect what you don’t know you have. But it’s easy to sit in an ivory tower and say, ‘Find all of the assets and activities and people and data flows in an environment.’ In a huge environment with lots of devices and lots of people making changes, those changes can be very hard to detect. Cisco has some automated tools for finding all of the devices, people, and workflows in the network. We worked with one large agency with a lot of Internet of Things devices. The agency used our network access and identity tool to identify those devices, track them, and determine what resources they can access. Before the agency used this tool, they would lose track of devices if they were unplugged or moved. With the tool, they were able to get a better handle on all their devices. They improved network security and access, as well as inventory management.
MeriTalk: Implementing a zero trust architecture is “a journey rather than a wholesale replacement of infrastructure or processes,” according to NIST. Yet many agencies have traditionally used a “rip and replace” model to improve their security posture. How can agencies make zero trust progress with existing solutions?
Romness: I am totally in alignment with NIST. You don’t have to rip and replace everything to achieve zero trust. Many of the tools that have been in networks for a long time are capable of meeting zero trust goals. Many of the switches that agencies have been buying from Cisco for the last 15 years, for example, have zero trust capabilities. This gets back to the idea that zero trust is not something you buy. It’s a way of looking at things, an architectural approach. If you start looking at what you already have, you often find you can make it fit zero trust goals. You can make small changes, by turning a feature on or adding a new tool that takes advantage of a feature in existing equipment. It’s all part of developing a zero trust mindset.
MeriTalk: A key goal of a zero trust architecture is reducing complexity. What are some strategies for reducing complexity as agencies implement their zero trust roadmaps?
Romness: In order to make the risk-based decisions that zero trust requires, a lot of security and network management tools are involved. If you have too many tools, the complexity goes up, and training staff to use each tool becomes an administrative burden. Not only that, but staff can’t manually keep up with all of these risk-based decisions. The key to reducing that complexity is integration and automation. It provides the ability to automatically and quickly make decisions based on risk-based thought. It helps defenders see all of the threats in their environment and block things with one or two clicks.
MeriTalk: Zero trust solutions from Cisco integrate with other vendor security products and solutions using open standards. How have you seen this integration benefit Federal agencies?
Romness: A long time ago, Cisco was somewhat proprietary in how we did things. I don’t think anybody back then played well with others. But now it’s very common for us to work with other organizations, which provides multiple benefits to agencies. We have open application programming interfaces (APIs) on all of our products, as well as development kits. We also created Cisco Platform Exchange Grid (pxGrid), a standards-based protocol that enables sharing of telemetry data among multiple devices to contain threats faster. For integration and automation, you need to be able to talk to all the devices.
Cisco XDR, our extended detection and response solution, has pre-written integrations for most competitive products, and for many products, that integration is fully supported by Cisco. And when we are talking zero trust solutions from Cisco, I would be remiss if I did not mention Duo, our multifactor authentication and access management solution. It is highly scalable and can be easily integrated with most major apps, including custom apps with minimal IT involvement – easing the zero trust burden on IT shops and minimizing the risk of data breaches.
MeriTalk: The 2023 FITARA scorecard shows that cybersecurity continues to be a lagging category for many agencies, with only eight graded “B” or better. What’s your advice for agencies seeking to improve their overall cybersecurity posture – and their cyber score?
Romness: Again, you don’t want to throw everything away. You want to know what you have. You want to have a plan to get to where you want to be, and then you need to start attacking your plan with the end goal in sight. It’s not going to happen overnight, especially in a large, complicated environment. The hard part is often not technology but rather the cultural changes that your people and your policies need to go through to establish a zero trust mindset. All of these things need to come together to meet the cybersecurity goals set out in FITARA.
Overall, there is good news as we’re watching agencies on their zero trust journey. They are saving time and money by automating access management. They are making network defenders’ jobs less tedious and more efficient by integrating and automating security tools. And they are delighting users by allowing them to enter passwords less often and access the data they need from more places on more devices.