Duration: 1 hour
Cost: No Fee
The term “zero trust” can be a misnomer, suggesting a simple methodology for organizations to secure their networks.
In reality, zero trust is a concept built upon several underlying security technologies and methods that come together to form a more secure architecture. The federal zero trust strategy breaks down the concept into five pillars, based on the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model.
Robert Wood, the chief information security officer at the Center for Medicare and Medicaid Services, says his agency is trying to take that more granular approach to zero trust, rather the spreading funding evenly across every pillar at once.
“Where we’ve been trying to really be critical and intentional is finding the areas throughout the enterprise where we can make significant progress against the maturity model, that also have a lot of adoption, where the benefits of that investment are going to be felt by the consumers of this centralized service or the underlying like environment that they’re building on,” Wood said during a CISO Handbook discussion hosted by Federal News Network.
“Whether it’s a cloud infrastructure or data centers or whatever,” he continued. “And so finding those intersections where we can invest intelligently, and then see ourselves make these substantial jumps against the maturity model, where the benefits are going to be as far reaching as possible in the in the enterprise.”
Wood said the “nuanced” pieces of the zero trust approach – ranging from multifactor authentication to encryption and beyond – are going to benefit CMS’s enterprise as a whole.
“Zero trust is not everything,” he added. “There’s a lot of other stuff that any sensible security organization should be doing.”
Many organizations have been looking to modernize their identity solutions for authenticating and authorizing users on their networks, whether they be internal employees or external customers and partners.
For CMS, one challenge will be in dealing with how legacy identity and network solutions were built across different subcomponents.
“We as an agency are effectively living out a representation of what’s referred to as Conway’s Law where the system that is built is a direct mapping of, not some ideal software architecture, but rather of the organizational architecture that is building it,” Wood said. “And so because we have different parts of the agency, even within the Office of Information Technology, building different parts of our identity setup to serve all of these different populations, you end up with this thing that pieced together.”
David Chow, the global chief technology strategy officer at Trend Micro, says the shift to a zero trust security architecture is a “monumental effort.” He applauded the maturity approach the federal government is taking to get there.
He said one key step agencies can take to start is to better understand the boundary of their networks, and then examine any critical security deficiencies within their systems. Automation and machine learning he will also be key to identify and addressing vulnerabilities efficiently, according to Chow.
“If the agency really wants to get to the high maturity level, I would say identity and access management is one huge area that that needs to be focused on,” Chow said. “And then you have an automated response to any security violation or any security incident. That’s the second part that needs to be focused on. So that would be my recommendation to any CIO or CISO.”
This program is sponsored by
Please register using the form on this page or call (202) 895-5023.
Chief Information Security Officer, Centers for Medicare and Medicaid Services
Global Chief Technology Strategy Officer, Trend Micro
Reporter, Federal News Network
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.