Date: On demand
Duration: 1 hour
Cost: No Fee

Over the last two years, it’s clear that when it comes to your agency’s or organization’s security, your people are your first and last line of defense.

The old model of building walls around your network and applications hasn’t worked for years, but it’s only in the last two years that agencies realized stopping cyber attacks starts with their workforce.

The goal really for most organizations is striking the right balance between cybersecurity and data and application accessibility. If either of those fail, you will lose the support of your workforce.

This is why the Biden administration’s zero trust strategy as well as the zero trust maturity model from the Cybersecurity and Infrastructure Security Agency highlight the need to take a people-centric approach.

Agencies need to understand how to trust and empower people within well-defined network and application boundaries.

Departments need to balance risks and tie those risks to their people. And agencies need to be agile enough to adjust cyber policies as risks and threats change.

Beau Houser, the chief information security officer at the U.S. Census Bureau in the Commerce Department, said the move to zero trust is giving agencies more tools in the toolbox to protect networks, data and systems.

“Like many organizations, we have a traditional virtual private network (VPN), where the users log in in the morning, they bring up their VPN client, they go through that process to connect into the Census’s VPN. We want to get rid of that, and we’re looking at options that are now called SASE, secure access service edge. What that does is change the nature of the VPN to an always-on VPN so the user just boots their laptop, they’re automatically connected to the cloud’s edge,” Houser said during the panel discussion Why zero trust starts with people. “Cloud is a central part of SASE, and so it’s a better user experience for our staff and it gives us that same level or better protection that we have today with our perimeter model. Zero trust gets rid of the perimeter approach. This is an example of how the endpoint plays into that change.”

Census, like nearly every agency, is pushing that perimeter to the employee as opposed to the network.

Mike Witt, the associate chief information officer for IT security at NASA, said they are rolling out software defined access as part of their move to micro segmentation.

“What this this helps us do at NASA is, we’ve got very sensitive things we do at NASA, we have our intellectual property, you think about astronauts off planet on the International Space Station. We’ve also got other parts of what I’ll call IT research and development that we do on the science side, which is very open to public researchers,” he said. “We need to segment those things apart from each other so that we can have a lot more interaction with our public data, and then protect more of our sensitive infrastructure sensitive data differently. That’s where we’re very excited about zero trust.”

Reduce complexity of tools

Witt said the micro segmentation will limit users’ access to networks or data based on pre-set authorizations. He said zero trust will give NASA a level of control it hadn’t had previously.

A big piece of the move to a zero trust architecture is to reduce the complexity of security tools and capabilities.

Davon Tyler, the chief information security officer at the U.S. Mint in the Treasury Department, said they are identifying certain segments of their architecture based on the zero trust maturity model from the Cybersecurity and Infrastructure Security Agency to prioritize.

“We are looking at high priority, high-profile assets and introducing more complexity to those environments so that we can actually move forward in our zero trust journey. It’s identifying where we are, and then looking at the story on how we’re going to get to zero trust without a specific application, and not necessarily holistically bringing everything to zero trust, but looking at those scenarios, and helping moving forward,” Tyler said. “I think the second part is, telework has exposed our machines so it’s always been something that we’ve had to strategize around. It’s a current asset and deploying technology around the asset so that we can better protect and defend.”

Tyler said the Mint is taking more of an employee-centric cybersecurity model with the data also near the center of the effort.

Steven Hernandez, the chief information security officer for the Department of Education, said that employee-centric and data-centric approach also is why agencies are accelerating their zero trust efforts. He said the remote working and mobile computing has expanded agency threat surfaces.

“Even before you deploy a bunch of awesome ZTA technologies, you have to sort out the questions around employee behavior and actions. It’s really back to the days of thinking about business process engineering because zero trust is going to bring incredible automation, incredible policy and trust engines that can make decisions, but they’re going to need to know what the rules of the game are,” he said. “If you don’t have those rules established before, you’re going to be making it up as you go along, and your artificial intelligence is going to be throwing wrenches all over the place and you may not have an idea as to why.”

Hernandez said implementing ZTA must not only include IT and cyber experts, but privacy, human capital and many others so these business processes are aligned and understood.

Big upswing in reverse engineering attacks

Phil Fuster, the vice president of federal sales at Proofpoint, said the people-centric approach aligned with the policy and privacy side becomes more important as the attack methods evolve. He said Proofpoint is seeing a big upswing in social reverse engineering attacks.

“The bad guys, the threat actors are targeting people with very specific campaigns based on maybe what privileges they think they have or what programs are assigned to you. They’re customizing the attack very specifically to that individual. We’ve seen that over and over. We’ve seen department heads being counterfeited and sent in phishing attacks so it looks like your boss is sending you an email or an SMS, and you have to respond to them right away,” Fuster said.

He added the use of counterfeit accounts through cloud services also is part of the attack vector.

“One of the things we’ve seen is about 98% of our customer base was attacked in some way by their supply chain, either by compromised users, malicious users, or just folks that were unaware,” Fuster said. “We also have seen supply chain issues arise around third party applications. A lot of our customers are asking us, can you risk or can you rate the supply chain for us based on their IP range and how much they’re being attacked? We have a trillion node network that looks at any IP and can give it some kind of a risk rating, based on how much they’re being attacked. But that’s a really important thing that a lot of our customers are looking for. They want to know what risk is being introduced when they can connect to a supplier we have a systems integrator that has over 7,000 suppliers, and they’re utilizing our risk scoring now to help rate their supply chain.”

Learning objectives:

• Zero trust in a hybrid and remote work environment
• Risk measurement
• Addressing legacy systems

This program is sponsored by   

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.