Date: On Demand
Duration: 1 hour

Description:

Ever since President Joe Biden’s executive order in May 2021, agencies and industry alike have put a lot of focus on the concept of moving to a zero trust architecture.

Agencies submitted their zero trust plans to the Office of Management and Budget in March, and have 19 specific goals to accomplish by the end of fiscal 2024.

Eric Stuhl, the director of infrastructure for Sirius federal, a CDW company, said a lot of the work over the past year has been  agencies trying to identify and understand where they are in that roadmap to get to zero trust. He said this means understanding what tools and capabilities they have in place already, what they need to achieve and how they can move to that end state nirvana of a fully zero trust environment.

“The agencies that I’m working with are looking at different piece parts of that zero trust architecture and identifying where they fit in. Do they have an identity solution? Do they have a network solution? Do they have a data solution? Do they have an application solution? How are they going to get a Federal Information Security Management Act (FISMA) moderate application web accessible by the end of the year?” Stuhl said on the discussion Keeping agencies secure: The shift to zero trust. “They have to find ways to break all of these down into their component parts, figure out how to build a plan to get there and find the budget for those things. Do they have some solutions that are part of the continuous diagnostics and mitigation (CDM) program that may be applicable to zero trust? Do they have something that will help them get to that next state?”

Sirius federal is working with the Treasury Department, for example, to move their identity management tools to the cloud from on-premise to help users access applications through a federated identity source.

The Treasury example demonstrates that agencies need to change their thinking when it comes to zero trust.

A jawbreaker, not a Tootsie Roll approach

Stuhl said agencies need to consider how they are managing and maintaining their devices, how they are managing their workloads and who are their industry partners and how does this all fit into their zero trust roadmap. He compared it moving from a Tootsie Pop approach to security to more of jawbreaker approach where each layer is hardened and different than the last.

“You put a lot of investment both in time, resources and training into those tools that you put into CDM. Some of them might be the right tools and some of them might not. But there’s a lot of strategy and architecture in there that you can expand upon,” he said. “Most agencies have some source of identity, but can you take that identity and federate it so that it’s not just for access into the network or into the building, but it’s that same user experience across every application, every workload. How do you get to that point and make it so that you have one system that’s either maybe personnel identity verification (PIV) related or PIV derived, and now you have a way for everyone to access all of those things across your entire infrastructure. Now, what you’ve done, there is taken something you have and that you know is good and expanded it rather than trying to rebuild from scratch.”

Stuhl added once agencies figure out where they today in the long journey toward zero trust, then they can take an iterative process to improve their security posture.

“They have figure out how they can enhance their security so that they’re not necessarily impacting the users or their technicians or their engineers, but they’re just adding layers of security on continuously and building that into the zero trust model,” he said.

Baselining IDAM capabilities

One example of this move toward continuous improvement if, of course, around identity and access management.

When agencies first rolled out these capabilities more than 15 years ago, agency chief information officers were more focused on access to buildings or devices, but individual applications or systems had their own username and password requirements.

“Now we are looking at identity as a whole. It is conceptual in that you’re a person, you have a thing that you use to connect to the network — that might be a laptop, it might be a desktop, it may be a mobile device — it sometimes is how do we identify who you are, what is the thing you’re using and give you the correct level of access based on how you’re entering into the network?” he said. “We are finding ways to control what you have access to with the same access control that makes it much easier. So that a user can have the same experience no matter where they login in from. Maybe not even using a password these days, but still have that same sense of identity, and then we can build policies around that rather than having to impact the user every time.”

Taking the user out of the equation is an important facet of zero trust because they are usually the weakest link.

Stuhl said zero trust will reduce the complexity of the environment, requiring many different usernames and passwords.

“We’re taking the user’s ability to cause a problem away, and, in most cases, the user doesn’t mean to cause a problem. They want to be secure. They want to do the right things. They just want it easier. So if we can find ways to add security without impacting the user’s ability to do their job, or do whatever task they’re trying to achieve, that’s when we’re going to hit our goal of having a good environment and good actual security,” he said. “Identity is now more than just your username and password, but it’s everything associated with you. Now, what is it going to look like in the future? Well, now we see that these applications are talking to each other and it’s no longer just a user interacting with an application but it’s an application interacting with an application. That’s something that most of us are currently blind to. So how do these application programming interfaces (API) calls get federated? How do we ensure that the right devices are talking to the right things? How do we ensure that once you’re in a network, you’re only getting the level of access that you need because that’s a way that we could solve some of these challenges. A lot of the challenges around identity is that someone a bad actor gets access to someone’s identity, and uses that to access resources that they shouldn’t.”

The future of identity is APIs

Stuhl said identity and security are becoming more data driven, and as more agencies shift to the cloud, that information will drive those API calls.

He said the end goal, however is ensuring agencies have the same identity processes across all systems at all times and in every different environment that a user could possibly choose.

Stuhl said agencies should by establishing a baseline of where they with current identity capabilities and figure out how to build upon that baseline.

“Let’s go ahead and enumerate all the different types of devices and get visibility into what’s there. Maybe they’re not blocking based on individual devices, we’re just pulling data to understand what’s in place, and then looking at what those people are doing. Let’s model some of that behavior,” he said. “From there, let’s go ahead and iterate those policies one at a time, make sure you build a little bit more restriction in each level, and then slowly add change into the network. It has to be controlled and managed, rather than this flashpoint of hugely reduced access, and maybe we might impact somebody’s ability to do their job. With my customers, especially on the DoD side, if we do something and a four star is no longer able to do the things that he or she wants to do, we’re going to have a really, really bad day. So finding ways to make sure that we’re adding that security without impacting our end users is incredibly important to us.”

Learning objectives:

• Zero Trust Trends Across Agencies
• The Evolution of Identity and Access Management

This program is sponsored by   

Registration is complimentary. Please register using the form on this page or call (202) 895-5023.