The COVID-19 pandemic moved the zero trust network security model from a theoretical discussion in many government agencies to a priority, government and industry executives said Dec. 3 during MeriTalk’s virtual CDM Central conference.
“Since we were dispersed, we could no longer rely on network-centric security. We were already moving away from it with our TIC 3.0 pilot and our cloud-based CDM pilot,” said James Saunders, chief information security officer at the Small Business Administration. “We had to embrace zero trust security. It is helping us deliver our mission. It is not a theoretical exercise.”
Remote organizations must work harder to protect employees and data, noted Robert S. Tagalicod, chief of cyber communications and engagement at the Office of Information Security in the Department of Health and Human Services (HHS). “Zero trust provides a philosophy that requires us to think about business requirements and technologies from an integrated approach that includes device security, network security, data security, and workflow zero-trust security, as well as identity and access management.”
Proliferating security threats make zero trust adoption critical, the experts agreed.
“Attacks to harvest credentials have become very cheap,” observed Nate Russ, civilian regional vice president at Tanium, a CDM solution provider. “Hackers now use algorithms that can outperform humans 1,000 to one. By leveraging inappropriate or unnecessary access, the damage is often done before the SOC can detect the behaviors. The most urgent focus is around lateral movement detection and blocking of unnecessary rights, so agencies can proactively understand what rights are given to users and machines and then apply that least privileged model.”
Zero trust platforms “can support our resiliency goals by providing HHS the flexibility to protect against new threats by adapting to the landscape and scaling to meet our organization’s needs,” Tagalicod said.
Alignment of the security operations center and network operations center with a common platform improves visibility into agency cyber posture, Russ said. “It’s really about getting the right data to the people at the right time,” he noted. It enables lateral movement across the network perimeter, improving the security model and giving a greater approach to network security.
The Continuous Diagnostics and Mitigation (CDM) Program, managed by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, is helping agencies accelerate the move to zero trust, said Matt Park, business development and partnerships lead at Forcepoint, a CDM solution provider.
“Agencies are using the CDM tools that they received earlier in the program, and they are going from crawl to walk or run, where run is zero trust,” Park said. “In most cases, there is a path for agencies to take most of their CDM investment … and quickly start scoring points against their zero-trust objective.”
Rapid adoption of cloud services to enable remote work also helps to enable zero trust, Saunders noted.
“Zero trust with third-party cloud mobility fits perfectly, and that’s because most third-party cloud providers are zero-trust ready, meaning they already have native zero trust capabilities,” he said. “More importantly, they allow you to connect your own identity store. And if you can connect your systems to that third-party cloud, the same policies for everything else can apply to that [cloud] environment.”
Getting started with zero trust architectures and this new approach to network
security can be challenging.
“Full-blown zero trust security requires hundreds of touches a day, at every endpoint, user profile, and firewall,” Park said. “Organizations tend to get stuck – and they give up or move on to something else.”
To succeed, federal agencies must understand that zero trust doesn’t have an end state, Saunders said. “Don’t try to build zero trust all at once,” he advised. “It is something you build use case by use case.”
Culture change is key. “You need to focus on your people and start developing a culture of automation,” Park advised. “Make a couple of key automation hires, and when you’re ready, point your team at your change control process. This will teach you to touch every piece in your infrastructure, save you labor hours, and set you up for success.”
Data currency is also essential. “Often agencies are working off stale data that can be days or even months old,” Russ said. “The implementation of zero trust platform solutions allows for near real-time investigation, detection, and remediation of endpoints to deliver speed, visibility and control.”
For more recommendations on getting started and ensuring success with zero trust, listen to the full conversation, and explore the latest MeriTalk research on CDM.
And for a look at how CDM’s secret sauce is prepared, please enjoy the accompanying CDM Central video.