Date: On demand
Duration: 1 hour
It’s been clear since the term “zero trust” first landed in the federal sector that ensuring the identity of the user is central to implementation.
The Cybersecurity and Infrastructure Security Agency (CISA) said in its zero trust maturity model that agencies must move away from simply using passwords to validate identity and instead use a combination of factors to validate and continuously verify that identity throughout the duration of their interactions with services or data.
The challenge, of course, is agencies have been working on identity and access management for the better part of 20 years.
In the build up to the zero trust mandate, we saw the Office of Management and Budget and the National Institute of Standards and Technology update key policy memos and technical guidance. They both addressed new challenges and opportunities to manage identity and access management (IDAM) like cloud, robotics process automation and managing a hybrid environment where some applications will live in the cloud and some will live in on-premise data centers.
As agencies take advantage of the new policies, technical guidance, and, of course, innovations coming from the private sector, they have already been evaluating and remapping their plan to strengthen and expand IDAM.
Among the questions that emerge is how best to move into a micro-segmentation architecture to protect systems and data, what is the data you are trying to protect and at what impact level and how to balance security with ease of use.
The first step to achieve that balance is to reduce the number of identity sources of truth agencies have built up over the last two decades.
Creating services for all to use
Robert Costello the chief information officer at the CISA in the Homeland Security Department, said getting down to one source of truth for managing identities will help create a single-sign on for the enterprise.
“We’re going to provide a lot of the zero trust solutions like remote access and other things. So my role won’t be to develop those mission systems that are happening in the cybersecurity area, but I want to provide that strong foundation that people can build off of,” Costello said during the panel discussion Adopting the Zero Trust Security Model.
Sean Frazier, the federal chief security officer at Okta, said it’s not all that unusual for agencies to have 20 or more sources of truth to manage their identity management processes. He said as agencies deployed new applications and added identity on top of it to enhance security or many just used the capabilities that came with the software.
“As we think about identity now, we look at identity as critical infrastructure to get access to the applications and also as the most attractive front door for attackers, for obvious reasons. It behooves us and it’s one of the reasons why some of the guidance has come out of CISA and out of OMB has been to get your security, your single sign-on security house in order by moving to a common enterprise service that you provide to your organization that is secure,” Frazier said. “The device context is also key to make sure the device is in good stead and the user is in good stead, and you can do that at wire speed when users request things.”
To get to point where a single sign-on services can make decisions at wire speed, agencies have to understand who their users are.
Beau Houser, the chief information security officer at the Census Bureau in the Commerce Department, said his office is creating personas for those who interact with the agency, whether employees or citizens.
“We have every persona to think about as we move into more of a zero trust approach. We’re exploring services…to meet those users where they are, whether it’s the business community, the general population or a federal partner,” he said. “If they already have a Login.gov account or if they have an Okta account or an ID.me account. We want to be able to leverage those services with our services so we’re trying to work that into our redesign for our internal users. The question I ask is, how do we dial up the rigor if this is a privileged user? With the general population, obviously, you can’t require a specific device. But for a privileged user, I can absolutely require a specific device, and I can maintain the awareness of the device that they’re using.”
Continuously verify access
Houser said the personas will also help the Census create its future state of technology.
“We’re working now on an enterprise survey system and we’re incorporating the zero trust principles, natively, inherently, look using some of the lessons learned that we’ve already used and maximizing things like our cloud capabilities,” he said. “You’ve got cloud; you’ve got zero trust; you’ve got secure access service edge (SASE) as the replacement for the traditional VPN. All these components come together to give you many, many more tools in your toolbox to be very surgical with the access and then continuously verify the access.”
Costello added auditing privileged users is something he’s spending a lot of time on.
“How do I temporarily escalate privileges? How am I auditing that? How am I going through that? We learned very quickly that while we never want an account compromised, when certain accounts are compromised, it is very difficult to recover from those events in certain environments,” he said. “SolarWinds, I think, was something that taught us what we have known for years, when we run into these situations where the keys to the kingdom or those privileged accounts or are compromised, that’s something that is very difficult to recover from.”
He said CISA is looking to partner with software providers to ease the burden on employees as they are proofing people against the agency’s policies.
Larry Kiger, America’s lead for security and compliance of the world wide public sector at Amazon Web Services, said implementing micro segmentation on your network can improve privileged account security as well as take advantage of more rigorous identity and access management capabilities.
“I just got finished with a conversation with one of our partners on [in May] that is a large DoD provider, and they specifically were talking about how do they separate, their FedRAMP high networks from their DoD impact level 5 or 6 networks and still support their customers?” Kiger said. “That really is all about micro segmentation at that point.”
This program is sponsored by
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.