In the two years since the White House directed agencies to adopt a “zero trust” security architecture, agencies have been taking small steps to eventually realize what will be a major change in their cybersecurity posture.

At the Department of Education, officials have been focused on “small bits and chunks,” rather than “swallowing the whole elephant at once,” Wayne Rodgers, the zero trust lead at Education, said on Federal News Network. The Office of Management and Budget outlined dozens of actions agencies should take in its January 2022 federal zero trust strategy. 

With the help of $20 million from the Technology Modernization Fund, the agency adopted a secure access service edge (SASE) solution and did away with its virtual private network (VPN), a key development at an agency where many employees work remotely. Rodgers also said Education has implemented a security orchestration automation response capability “that really rides across all zero trust pillars as a foundation.”

And Education’s identity, credentialing and access management (ICAM) project management office has moved all users — both internal and external — to a new identity platform.

“We’re really looking at … on a system-by-system basis, making sure that we have inheritable controls for all systems,” Rodgers said.

At the International Trade Administration, all of its systems are in the cloud, giving it a good starting position on its zero trust roadmap.

But Gerald Caron, the chief information officer at ITA, said many of the agency’s employees are spread out across the globe. That makes meeting the requirement for phishing-resistant multifactor authentication a difficult challenge.

So ITA sent each of its employees a “YubiKey” authentication device to meet MFA requirements.

“So we’re taking a lot of steps, we’re looking at some identity management things in order to mature identity management and automate our processes around that as well,” Caron said.

Sean Connelly, the senior cybersecurity architecture and Trusted Internet Connections program manager at the Cybersecurity and Infrastructure Security Agency, said CISA is helping all federal civilian agencies with their zero trust approaches, including by updating the zero trust maturity model used as a benchmark for federal progress.

CISA is also folding many of those zero trust principles into one of its marquee federal cybersecurity programs, the Continuous Diagnostics and Mitigation (CDM) service.

“Some of the new services you may see coming out from CDM will be very zero trust influenced, will help the agencies, will help them move forward on their zero trust journey,” Connelly said.

Agencies are also looking at automating aspects of their cybersecurity programs as part of zero trust, in order to cut down on their incident response times and take the load off cybersecurity personnel responding to a range of incidents.

“I think that’s a key area to cut down on some of the noise that help desks and admins are dealing with,” Brian Dack, director of solutions engineering at Okta, said during the panel discussion.

Automation is also a step toward using artificial intelligence for cybersecurity, an early but expanding area of research and development. CISA is among several public and private entities looking at how AI can be applied to the cybersecurity field.

“I think what AI is going to bring, is raise the level of what that automation could do,” Dack said. “As we get into these large language models, it really raises that level of decisions that can be made and potentially then offers those decision makers and the admins some freedom to say, ‘Okay, I now trust this, and I can allow it to take some actions without us having to send it to a person to make a decision.’”

And as agencies have been laser-focused on upgrading the technologies and processes they use to verify the identity of their employees and users, Mark Ryland, the director of the Amazon security team at Amazon Web Services, said the next step will be “software-to-software” authentication.

“Once we get the user to the front end of an application, once we get that nailed down, which I think we’re on a good path to do that, then the next layer is going to be what happens from that front end to the database, to the business logic, whatever we want that also to participate in these very well architected, strongly authenticated, properly authorized and properly logged systems,” Ryland said.

Learning objectives:

• Securing networks with AI and automation
• Identity and access management
• The future of AI/ML in cybersecurity