January was the two-year anniversary of the Office of Management and Budget’s zero trust strategy.

In the 24 months of work, agencies faced, and had to overcome, many competing cyber and other priorities as they work to ensure a resilient and trusted operating environment.

Many agencies started off their zero trust journeys with the “low hanging fruit” of identity and access management. But now that they are in year three of this journey, agency cyber leaders must continue to mature their zero trust programs, take even more advantage of enterprise services and tools and apply a more strategic approach to how they secure their networks, systems and data.

That strategic approach is more than just cyber, but a pathway to digital transformation and IT modernization. In fact, OMB expects the implementation of zero trust concepts to help agencies better envision their future technology infrastructure.

As the 2024 zero trust deadline quickly approaches, agencies still have the longest section of this marathon to push through.

Wayne Rodgers, the zero trust lead and senior cybersecurity manager at the Education Department, said the agency is getting ready to move into the next phase of its journey after spending much of the last 18 months transforming its cybersecurity infrastructure.

“Right on the horizon is software-defined wide area network (SD-Wan). That way we can extend our zero trust policy to users when they’re on-premise as well as things that are on-premise like printers and such, right there on site, that don’t necessarily have a secure access service edge (SASE) agent,” said Rodgers on the discussion Unlocking Zero Trust: Strategic Approaches and Cybersecurity Modernization. “We already have automated tenants in response to use cases and brought a lot more efficiency to our cyber security operations center (SOC) analysts. We also implemented a tier three zero trust program management office, which has been instrumental in updating policy when it comes to zero trust. They really were the programmatic execution arm of making sure that we could implement and deploy SASE in a very fast timeframe. We ended up being able to deploy SASE within the period of three months, and we were able to migrate all users and cut off legacy virtual private networks (VPN) two months after that.”

Education’s improved cyber defenses

Rodgers said Education also has deployed endpoint detection response (EDR) on all laptops and soon it will deploy the technology on all servers.

“We have seen threat hunt capabilities increase and our visibility analytics have increased,” he said. “I always give an example: We were able to find malware retroactively from a couple months prior to deploying that. So the visibility analytics have been great from EDR. We already had an identity credential access management (ICAM) solution. We’ve since migrated to a new one and we have a new identity provider and we’re working toward automating lifecycle management of users.”

The idea of better and even cheaper cyber capabilities is a key tenet of zero trust.

The Office of Personnel Management is leaning on the cloud to improve its cyber posture.

James Saunders, OPM’s chief information security officer, said through the move to zero trust the agency reduced the number of cyber tools it was using and redirected those funds to zero trust technologies.

“About 70% of the zero trust technologies you need are now coming from a platform versus point solutions. What I mean by that is the bigger vendors in the space can pretty much give you everything that you need. We were able to eliminate one-off solutions that are hard to integrate and hard to automate,” Saunders said. “Now the platform covers most of it. We do still have point solutions where we feed into different mechanisms like security orchestration, automation and response (SOAR) use cases for bringing that data in and allowing the machine to make decisions and do a lot of the lower level work.”

OPM met MFA-mandate

Saunders said OPM’s cyber analysts now have more time to work on more complex security efforts and don’t have to stitch together multiple point solutions.

All of this work also helped OPM meet the White House’s mandate to move to phishing resistant multi-factor authentication by Dec. 31.

Saunders said all of these efforts so far in the zero trust journey have been about building trust.

“Other agencies that partner with us, share data with us and citizens who interact with our services need to know that we’re constantly doing our due diligence and continuously raising our cybersecurity bar,” he said. “To me, that’s what zero trust is about, building trust. Starting with zero, but eventually you build on it and we’re trusting that OPM is doing the right thing to protect our environment.”

Similar to OPM, the Nuclear Regulatory Commission also is consolidating its cyber tools to move faster toward meeting the goals of the zero trust architecture.

“We’ve done a major focus on identity and access management. We’ve changed our identity provider, as a number of agencies have. We’re also looking now specifically at datasets and artificial intelligence use cases as well because that’s all going to be part of our big approach to zero trust as we move forward,” said Jonathan Feibus, NRC’s CISO and director of the Cyber and Infrastructure Security Division. “We’re trying to figure out how we can get all of these tools, all of these requirements built into our development platforms, how we can get all of these transitional tools into the cloud and how we can use everything that we are doing, in terms of cybersecurity, in terms of oversight, in terms of governance, and in terms of access to data and other tools across our environment to help us with the zero trust journey.”

Platforms and integration

OPM, NRC and Education are following a similar path as many public and private sector organizations in their move to zero trust.

Felipe Fernandez, the chief technology officer at Fortinet Federal, said the strategy is focused on creating a comprehensive security approach based on different use cases, including accessing data, providing access to remote workers and providing services to citizens.

“What we’re doing is creating a platform that’s automatically integrating with other tool sets that are typically found in the environment,” Fernandez said. “We had toolset sprawl that really grew and it started to become cumbersome for most customers trying to do cybersecurity. That was really driven by strategic approaches, such as defense-in-depth or a multi-layered approach to security. What we discovered is that really just becomes cumbersome and results in operational inefficiencies because the practitioners need to learn all these tools. So this natural reduction of vendors, tool sets and capabilities into single platforms is what’s really helping drive these zero trust architecture initiatives.”

Learning objectives:

• Modernizing security through zero trust
• Navigating the zero trust culture shift
• Applying automation in security