When it comes to zero trust, the Veterans Affairs Department is all about striking the right balance.
The White House’s requirements under its zero trust strategy and implementation plan are both prescriptive and lenient enough to let VA find its own way to meeting the security goals of the governmentwide initiative.
Kurt DelBene, the assistant secretary for information and technology and chief information officer at VA, said the agency has been addressing many of the fundamentals of zero trust pillars.
“We’re very focused around getting to 100% multi-factor authentication (MFA). That’s in terms of both end users connecting to the network, but also systems using single sign-on, which implements MFA,” DelBene said on Ask the CIO. “We have 100% deployment of making sure our devices are secure by having antivirus software and constantly scanning them in our network or servers, making sure they’re at a baseline level of configuration that has all the patches on it, etc. One of the other key things is around least privileged access, that is a challenging thing to do in an organization like the VA where we have over 1,000 systems. But we’ve identified a set of bedrock systems, the ones that everybody depends upon a set of critical systems, that are that next level that are really the ones that run the VA, and getting to a point where we’ve validated access lists for those for all those systems is really critical.”
At the same time, VA also is focusing on reducing the number of non-humans connecting to the network, increasing the sophistication of server-to-server connections and reducing the number of server accounts.
DelBene said the whole point of zero trust is to stop lateral movement across networks and prevent bad actors from hiding until they are ready to strike.
“You have to have great telemetry that’s looking for these signals that you’ve been compromised. Finally, getting really great around remediation, the time to cordon off that issue, the time to remediate it, you need to drive that down, down, down. The first thing you do there is you got to measure it. How long did it take for a particular vulnerability? How quickly did it get closed? How quickly were you able to remediate that particular device?” he said. “We’re looking across the entire frame of zero trust, and then super important to us is for it to be prioritized. So we look for a technical perspective of what we think the greatest vulnerabilities are and which are the ones we want to close first because zero trust isn’t a place where you actually get to and you’re done. It’s a journey that’s going to be lather, rinse and repeat over and over again.”
And each of those cycles will be based on current risks and driven by a set of organizational goals or metrics that VA updates twice a year.
Potential for AI and ML
DelBene said VA conducted a gap analysis of its current tools and cyber capabilities to help establish a current baseline, but just as importantly address potential holes in its protections.
“I think we have a pretty good tool set. But the interesting thing is there’s so much innovation going on in the industry, you can get yourself to the point of saying I’ve got all these different things that are collectively in my toolkit, but there’s so much innovation going on that we listen to a lot of vendors and try to understand is there’s something new that that they’re delivering that we actually think we can use,” he said. “We pilot a bunch of stuff in the VA, but if there are vendors that have something they think we could use, it has to be that thing that either fits a niche that we don’t have, or it’s really kind of a different spin on things. Because there is such a plethora of tools that are out there, I feel pretty good about the tools that we have in place that the challenge is in our complexity.”
DelBene said tools like artificial intelligence and machine learning show a lot of promise to help analyze all the data that comes in from the difficult sensors.
He said a key piece to the zero trust architecture is understanding the traffic patterns to see if there are anomalies so cyber defenders can potentially take action in real time.
“I think we’re seeing the benefits of zero trust already. Are there aspirations I have for the next one to five years? Absolutely. I think getting the perimeter in terms of logging in and authenticating people with MFA to 100% and not having too many people that say, ‘Oh, I forgot my personal identity verification (PIV) card so give me an exemption,’ having that avenue be an MFA avenue as well. So things like that, where we get to a true 100% around MFA,” DelBene said. “Generally speaking, I think what is really important to me personally is getting to authenticated access lists. I think wrestling with this notion of service accounts and having them be secure and not have passwords that have been there a long time. There are specific things that I get into the details and to me cybersecurity is all about the details. There are some very specific things I want to get done in that space, and we’re doing them every day.”