The Department of Homeland Security (DHS) has had a 900 percent increase in the use of Teams, Microsoft’s collaboration platform, and a 483 percent increase in the use of virtual private networks (VPN) during the COVID-19 pandemic, a DHS official said.
Brian Forsythe, branch chief of Technical Assessments at DHS, said the department has enacted zero-trust in Office-365, which he called a “low-hanging fruit,” and is looking to grow that security work to other areas.
“It’s a prime time right now as we push all these legacy systems and applications to a cloud environment to take a look at their trusts,” said Forsythe, speaking during an ATARC webinar May 7. “Zero-trust is a principle,” he said, “it’s implementing security in many processes in many different ways.”
The goal of zero-trust is “to establish a secure Federal architecture to protect data,” said Brian Gattoni, CTO in the Cybersecurity Division at DHS’ Cybersecurity and Infrastructure Security Agency.
Gattoni likened zero-trust to the security of a house, stating that multiple checks occur to give assurance that “the person who came in the very front door and walks through all the other doors in the house is the same person the whole way.” Gattoni expanded his analogy to include not just people, but entities as many security incidents involve robocalls or other automated technology.
One of the keys for zero-trust is “understanding access control and how we are going to manage those identities in the cloud environment,” said Renata Spinks, cyber technology officer in the United States Marine Corps. Spinks said her department is “leaping into to Office 365” during the pandemic.
“We trust, we verify, we examine and monitor behavior,” she said, “then we trust again, and then we verify again.”
Having the active directory cleaned up in order to identify users is important, Spinks said. Ironically, Spinks summed up zero-trust in this way, “Trust, verify, and trust again.”