Duration: 1 hour
Cost: No Fee
The shift to a zero trust architecture happening across the federal government comes down to a few key principles – including identity, devices, their network and environment, application workload and data.
While the federal government’s move to zero truest focuses the protection of agency data, the push to zero trust also coincides with other initiatives, especially in the Defense Department, focused on leveraging data as a strategic asset.
Retired Col. Michael Anderson, chief strategist for Informatica Public Sector, said the data pillar of an agency’s zero trust strategy should serve as the foundation for progress in other key areas.
“As you listen to some of the initiatives, efforts, projects and budget associated around zero trust, data is given lip service. But when you dig down a little bit deeper, it doesn’t seem to be the focus of a lot of these efforts. But I think at its foundational levels, data is a key component of that,” Anderson said. “Data really is the crown jewels, whether it’s the Department of Defense or another federal civilian agency. It’s really what the whole program is wrapped around to protect, because the exfiltration of data to adversarial elements, whatever those may be, is one of the primary reasons. if not the primary reason why we’re all after this zero trust architecture to begin with.”
The Department of the Navy, building on earlier cybersecurity and identity investments, is putting zero trust into action.
“Zero trust was basically initiated to protect the data, because we found it hard doing this sort of perimeter view of walls and different challenges or authentications that you need to do to get to the data,” said Chris Cleary, principal cyber advisor for the Department of the Navy. “It was harder and harder to protect it,” Cleary said. “As you continue to build this zero trust architecture, you have to be working hand-in-glove with the people that own this information, because they have to 100% have an equal seat at the table, to ensure that the way that we’re going to go about doing this is in alignment with the way that they’re going to be architecting their data environments.”
The Department of the Navy, prior to the Biden administration’s executive order on zero trust, implemented its identity, credentialing and access management (ICAM) strategy.
“The zero trust discussion started happening. We were kind of ahead of the curve on this because one of the fundamental components of a zero trust architecture was identity,” Cleary said.
The emergence of the COVID-19 pandemic and the shift to telework across the federal workforce also brought the Navy, like much of the federal government into adopting Office 365.
“When you started rolling out Office 365, and started getting closer to this zero trust discussion, when we added the particular security licenses, whether it’s E3 or E5 licenses from Microsoft to it, it further enabled us getting closer and closer to this zero trust architecture,” Cleary said.
Cleary described zero trust as the latest evolution in cybersecurity models, in an effort to stay ahead of evolving threats.
“We’re moving into a zero trust mindset, which is really because we understood it got harder and harder to keep the adversary from getting what they want. And at the end of the day, what they want is data,” Cleary said. “The data is the fuel oil that drives all of this. There’s no sense having a computer system if I can’t trust the information or get access to the information, or somebody else has access to the information,” Cleary said.
The federal focus on zero trust coincides with the rise of chief data officers. The Foundations for Evidence-Based Policymaking Act signed in 2019 required agencies to name a CDO.
“We’ve always had chief information officers, we’ve always had chief information security officers. And now we’re creating a whole new discipline for individuals that are specializing specifically on data,” Cleary said.
The rise in zero trust also coincides with a particular focus in data-driven decision-making across the DOD. Deputy Defense Secretary Kathleen Hicks in May 2021 issued a memo outlining five “data decrees,” outlining actions the department must take to leverage data as a strategic asset.
Anderson said the data decrees and the move to zero trust both require DOD to fully understand what data it has, where it’s stored, and what level of protection it needs.
“If you don’t know what you have, and you haven’t discovered it across your environment … how do you ensure it’s all labeled, categorized, and then prioritized for the cybersecurity folks, so you know what’s important and what’s not?” Anderson said. “Once you know that, and you know yourself, then you can go and put together the policy, both from a data standpoint and security standpoint, about the workflows of that data.”
In terms of next steps to implement zero trust, Anderson said DOD and other agencies need to the secure the flow of data coming from sensors and other Internet of Things devices.
“If you’re going to have streaming data, there’s no way to manually affect and control the workflows,” Anderson said. “What we’re getting at there, and in industry is capable of providing that today — and are to some DoD elements and components — is automating that process of streaming data. You can set up policies, you can set up all the rules and regulations you want, but to manually control that is going to slow things down too much for those consumers who need it at the edge or in the Pentagon, if that’s something the Pentagon is doing. But being able to do that, and automate that flow of data, and control its usage to who needs it when in in a timely manner … but at the same time meet zero-trust principles is key. You’re only going to do that with capabilities that bring that automation to bear, out of the box.”
Please register using the form on this page or call (202) 895-5023.
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.