Education Department, halfway to zero trust, has money and roadmap for completion

Date: On demand
Duration: 1 hour
Cost: No Fee

If the concept of zero trust has been around for decades – and it has – then how come it’s only become a major imperative for federal agencies in the past year or so? The simple answer might be, because there’s that year-old White House executive order that says so.

The reality is a bit more complicated. The order is possible, and zero trust initiatives are possible, because the technologies enabling comprehensive zero trust have been rapidly maturing in the last few years.

Steven Hernandez, the chief information security officer at the Department of Education, said he is frequently asked the “why now” question.

“The real reason why,” Hernandez said, “is because between cloud technologies, machine learning, and robotic process automation, the technologies we have today allow us to move at the speed of the machine.” For every human user, device, and bot to face a challenge for access to applications and data in a zero trust setup, only automation can keep up with demand.

“We can trust the machine, once it’s learned what it needs to do, to make the right decisions,” Hernandez added. “If we didn’t have the elasticity and the agility and the responsiveness of the cloud, we couldn’t buy enough hardware or traditional IT to think that we could pull this off.”

In tackling the project to get to zero trust for the department’s 200 major systems, Hernandez said, he and his staff started with an assessment of what was in place already, against a reference model of four main elements to a zero trust architecture.

”When we talk about zero trust,” Hernandez said, “there’s identity, data, control, and then something of an idea of a trust engine. And at the Department of Education, we started zero trust by looking at, what do we already have what in this portfolio.”

Headstart on zero trust

He said the department had already established a solid footing on identity, with an identity, credential and access management, or ICAM, system. And, it had a good handle on security and event-related data, having been an early adopters of a data lake specifically for cybersecurity.

Therefore, Hernandez, said, Education could focus on the control plane and trust engine elements.

He described the control plane as the integration of technologies and processes that enable constant authentication. He described the trust engine as the taking of data derived from control plane activities and applying artificial intelligence to it, all pursuant to automatic authentication decision-making.

In thinking about the control plane, also called the control fabric, Hernandez said the goal was “agility to operate at the speed of the machine, with technology that we can buy right now, not vaporware.” As its strategy to get to that agile control plane, his crew chose the secure access service edge, or SASE, approach. The Gartner-coined term refers to a cluster of software-defined authentication and access controls hosted in a commercial cloud.

Hernandez put it this way: “What it really means is taking all the technology stack that used to be in a data center – it’s a firewall, it’s data loss prevention, it’s perimeter protection – and virtualizing it. Then move it into the cloud, and make sure that no matter where traffic is coming from in your environment, it’s going through this automated security stack.”

All of that traffic generates log data which, Hernandez said, relates to the second component of the two he’d been concentrating on.

For its trust engine, Education chose another set of technologies with the acronym SOAR. It stands for security, orchestration, automation and response. The trust engine stack analyzes the data collected by the control plane in such a way as to continuously improve the authentication mechanism.

SOAR “is the beginnings of this idea of using machine learning AI to get all this data that you’re going to start to consume from that control fabric, and then start to make decisions on it,” Hernandez said.

The human factor

The engine also ensures that, when analyzing what Hernandez said might be 100,000 indicators, it flags the small number that might need human attention.

“And then my analysts are actually going to look at that,” Hernandez said.

Besides the two big technical efforts to build out its zero trust architecture, Hernandez said a third element will help sustain it all.

“The third piece we looked at is building out an organizational wide program management capacity to really manage the cultural shift of zero trust,” he said. He added, “And that’s the piece that you can’t buy technology for, you got to buy the right folks with the right ideas and the right leadership to move that part ahead.”

As for users, Hernandez said a well-crafted zero trust environment should enhance ease of use and ease of access for authorized users. Zero trust should all be seamless for users.

“And then as the that end user starts maybe behaving in ways that are a bit suspicious, we start adding friction: ‘I’m gonna need you to re-authenticate,’” he said. That process would be invoked at the control plane, the gatekeeper for the department’s systems.

Zero trust plus…

Having heard Hernandez’s account, Chris Crummey, the executive director of the Center for Government Cybersecurity at IBM, said that the phrase zero trust sometimes needs a third word.

“So there’s zero trust principles, there’s zero trust strategy, there’s zero trust initiatives for the mission” Crummey said. Because zero trust is all of those things, he said they’re important for context when discussing zero trust with various stakeholders.

He said agencies can approach zero trust on two vectors. One is along what he called domains, “which is your data, your identity, your network, your application loads, your devices.” In working with customers, he said IBM focuses on outcomes, according to four blueprints. Namely, the remote workforce, protecting the hybrid cloud, reducing mission churn, and also protecting citizens’ privacy.

“So now take the domain strategy that we see the agencies have,” Crummey said, “and then overlay one of these four kind of blueprints, and automatically you have an understanding where the gaps are.”

Koos Lodewijkx, the chief information security officer at IBM, said that zero trust can be both a driver and a result of digital transformation. He noted, few organizations lack their share of legacy applications and systems.

“So look at the new things that you’re building. In the move to cloud, for example, infuse your transformation with zero trust principles,” Lodewijkx said.

He added that zero trust has the potential to help agencies realize the long-held cybersecurity dream of eliminating the password.

“That is one of one of my top priorities for IBM,” he said. “No more passwords. And so then what do you replace that with? You replace that with stronger forms of authentication.” Lodewijkx named risk based and adaptive authentication, which is authentication that takes into consideration additional factors such as a user’s location, the connection methodology, and what it appears they are trying to do.

The IBM experts said that adaptive authentication can at once make things more secure and easier for users.

Crummey said IBM cybersecurity offerings are vetted through an advisory council of former federal civilian and military CIOs and other high-ranking individuals. “So maybe early in your zero trust discussion, you could have a meeting with the advisory council would be a great way to start that process,” he said. Agency clients often then proceed with what Crummey called a zero trust framing workshop, “a great way to align your strategic views, to understand your critical resources, and to drive the initiatives based on the mission that you have.”

Learning objectives:

• Zero trust plans at the Education Department
• Addressing the Software Bill of Materials (SBOM)
• Industry analysis