When it comes to zero trust, the common adage that there is no silver bullet and no one-size-fits-all becomes truer with each implementation.
Each agency’s journey to get to the “end result” — the cyber journey never really ends — will take a bit of a different path, but strive to achieve the same goal of better protections for systems and data.
Take the Homeland Security Department’s Science and Technology Directorate. They are looking at the integration of operational technology, like for heating and cooling systems, with information technology, like for your laptop.
Over at the General Services Administration’s Technology Transformation Service, one initiative is to bring zero trust capabilities to the Max.gov internal site. The focus is around more advanced authentication tools and services.
A third example is the Army Software Factory. The organization is training servicemembers and civilians on the DevSecOps methodology where security automation drives as much of the process as possible.
“In regards to zero trust … the journey entails a couple of things: understanding the strategy itself. The second part of that is understanding the maturity model that exists for that strategy because not everyone is in the same place at any given time as you, needing to go through a process of understanding your environment by doing discovery and knowing what you have. Then, based upon that, you can be able to visualize that information to be able to take some actions that were on that, and those actions will be somewhat focusing on segmentation,” said Fatoma Kallon, the cybersecurity evangelist for the public sector at Akamai, during a recent zero trust event sponsored by ATARC, a portion of which ran on Ask the CIO. “Identity management is one area we’ve seen a lot of our customers trying to focus on to try to get a centralized or enterprise level solution. The second piece of that: going through a discovery to know what they have in house, because most folks don’t have the knowledge of all the applications that they have.”
Identity for RPA too
Togai Andrews, the chief information security officer at the Bureau of Engraving and Printing at the Treasury Department, said the other common theme that has emerged over the last year or so was the need to create a persistent awareness about cybersecurity more broadly.
“The second piece that I have found very successful for me is not focusing on the technology or the technical aspect, but actually showing the business value to help that cultural shift,” he said.
Andrews said BEP is revamping their identity and access management strategy so the program includes automation around the lifecycle of identity, whether it’s a person or a machine.
“It’s important from the onset, when you’re in the initial phase or planning phase of what is an ICAM program, or as large as zero trust strategy and implementation, is to treat both entities or both forms of entities somewhat of the same. For us, our robotics process automation (RPA) or automation journey is still in this infancy. This is a great opportunity for us to really apply those same principles that we are applying to human identities to those non-human identities also,” Andrews said. “But it’s not just the automation piece, it’s also the devices, now that we find ourselves in a hybrid work environment where you have a set of the workforce working remotely. That in itself is pushing us to go toward more bring your own device (BYOD). We have to look at not just what we are looking at digests our human identity, but the machines’ identities, and ensuring that regardless of whether we own the machine or the user on the machine, we can manage the lifecycle of that device identity. That’s part of what our ICAM program for fiscal 2023 is geared toward.”
“Anytime somebody from an agency has to log into an application that is internet facing and that some other agency has developed, they don’t have to create a whole new identity and they’re able to authenticate using that identity,” she said. “It’s a really fun problem set to think about and to develop and doing it at TTS and really put that customer experience spin on it. We’re focusing a lot on the open security control assessment language and always doing things with FedRAMP in mind; that’s also within our portfolio as well.”
Feola said it looks like the path forward for Max.gov, and possibly other sites, is to use an identity broker so that users keep their identity that they’ve been given from their agency, and a hub federates them together. She added Login.gov will be an identity provider that is federated into that hub.
While identity and access management will continue to be a foundational aspect of any zero trust journey, the Army also is focusing on the automation piece for all new software code.
Angel Phaneuf, the chief information security officer for the Army Software Factory, said security automation in the continuous integration/continuous delivery (CICD) pipelines will help get their applications into production a lot sooner.
“We are definitely focused a lot on how we bake in zero trust as our DNA. This is something I always say, like zero trust is a bit of a marriage because you have to continuously work on it for it to be productive; you can’t just do it once,” Phaneuf said. “You have to continuously feed, maintain, update and make sure you’re keeping up with technology. Any vendors that we’ve put in place now, it doesn’t mean that we’re going to be with them forever. I may have just rattled some boots in the room, sorry, but as the speed of technology goes, and as fast as it’s moving, we have to move with it.”
The speed of change and how zero trust concepts can keep up is a longer-term effort at DHS S&T.
Donald Coulter, a senior science advisor for cybersecurity in S&T, said the OT/IT integration is a zero trust focus area as part of its critical infrastructure security and resilience research program.
“We are getting a look at spreading some of these zero trust principles across some of these legacy OT systems. It is going to be a critical area that we will focus in over the next few years here,” Coulter said. “Our responsibility there is to protect the critical infrastructure and working across public and private partnerships in that domain. There’s so many applications not just within CISA and what we protect there, but across the transportation sector, the energy sector and others sectors. We’re partnering with the Department of Energy as well. So there are so many applications, there’s so many different devices out there that are getting connected to the internet and to the networks that we that have that gaping opportunity for us to increase the resilience of.”