6 speakers
Feb 23, 2022 2:00 p.m. ET
Date: On Demand
Duration: 1 hour
Description
The final version of the Biden administration’s zero trust strategy debuted in late January.
As federal Chief Information Security Officer Chris DeRusha said after it came out, the strategy is a starting point.
While the journey will be long and hard, DeRusha and other administration leadership believe the strategy gives agencies a common approach that is just prescriptive enough to move agencies toward a common set of goals.
At the center of the zero trust strategy is identity and access management (IDAM).
While IDAM is far from a new cyber protection, OMB believes improving identity and access management as part of a zero trust environment is a way to quick way to improve system and data security and make agencies more resilient.
Of course, there is more to zero trust than just identity and access management. The Cybersecurity and Infrastructure Security Agency (CISA) maturity model details four other pillars, and then there is the integration among systems. The complexity will only grow as agencies add operational technology (OT) to the mix of what they have to protect.
“Agencies are starting to look at what they have in their environments, doing assessments and looking at things that that they have and that are inherent in their current architectures and capabilities. They also are looking at those gaps,” said John Simms, a senior technology advisor for the Office of the Chief Technology Officer at the Cybersecurity and Infrastructure Security Agency, during the panel discussion Take Control of Privileged Access Before Attackers Do. “They’re starting to look at how they’re going to transition from their traditional architectures to those of zero trust. I know the continuous diagnostics and mitigation (CDM) plays a huge part in that role in terms of like the sensoring of the networks and what have you. So I think that’s some of those preliminary steps that we’re seeing in terms of where the agencies are at today, and where they’re where they’re headed next couple of weeks.”
OMB made it clear in the strategy that agencies will move toward zero trust at their own pace based on their current capabilities and how quickly they can fill their gaps.
Gerald Caron, the chief information officer for the Office of the Inspector General at the Department of Health and Human Services, said he is conducting an inventory of cyber tools and capabilities. Caron said he is using a straight-forward red, yellow and green grading system based on the capabilities outlined in the CISA maturity model.
Caron said one area of focus is trying to apply a dynamic risk scoring approach to privileged user accounts.
“It’s basically what will tell the policy engine, when you look at NIST 800-207 for what needs to be done, it’s based on your risk tolerances. So all those users, privileged users, normal users, power users, whatever types of user categories you have, they all have different levels of risk, I would say those privileged users have a very high level of risk, as a result of what they have access to,” he said. “When we talk about identity, and we talk about access and authentication, it can’t be a one-time linear event. It has to be ongoing and evaluated all the time because there’s factors that can change at any time. We’ve got to be able to measure those and based off whatever your threshold is take the appropriate action. That has to be ongoing authentication, ongoing access in my mind.”
Gary Buchanan, the director of the cybersecurity office and chief information security officer at the National Geospatial Intelligence Agency, said zero trust is not a new concept for the intelligence community.
“We already have some robust capabilities, like multi-factor authentication, which is nothing new to us, encryption of data-at-rest, and in transit. But there are some different tenants with the zero trust specific implementation that we’re going to look at from that lens again,” he said. “That different lens is about how we’re going to look at how our systems that are connected, how users are accessing the data, how we’re tagging the data. If we assume that we’ve already been breached, then how do we ensure the least amount of damage that can be caused by a potential insider or someone that is outside of our organization?”
Sean Connelly, the TIC program manager at the Cybersecurity and Infrastructure Security Agency, said the long term vision for zero trust is to make it harder for attackers to move laterally across networks and limit agency exposure.
He said agencies through the CDM program agencies focused on the who and the what, and now they are trying to answer the harder question of why.
“That’s a difficult question to answer, the why? It’s that context with what they are doing with the access, I think, is where we’re going to see a lot of focus,” Connelly said. “I think that’s reflected in the strategy, which mentions about building out new data sources to leverage as we build out the new ICAM solutions.”
Josh Brodbent the regional vice president for public sector solutions engineering at Beyond Trust, said agencies need to understand what data they have and where the data is located in order to better the context around why a user needs access to specific data.
He said these concepts become even more important as zero trusts crosses between IT and OT.
“We take a look at those IoT devices and the hardware that ends up on the networks, the conversation around zero trust that I tend to have really revolves around this concept that these are now all devices that have authorization authentication on your network. So as we have these devices that exist, and they converge into our IT networks, into our identity stores, into everything that we have, so we have to step back and continue that zero trust conversation around these devices,” Brodbent said. “How do we make sure that they stay isolated? How do we essentially manage their identities and make sure that they actually have only the access that they need, which in this case, usually is just some form of internet access so that they can continue to be monitored?”
Learning objectives:
This program is sponsored by
Complimentary Registration
Please register using the form on this page or call (202) 895-5023.
Please register using the form on this page.
Have questions or need help? Visit our Q&A page for answers to common questions or to reach a member of our team.