DHS components on different paths to reach the zero trust end goal

Date: On demand
Duration: 1 hour
Cost: 
No Fee

Description

The Homeland Security Department is taking steps to address the ever-changing cybersecurity threats and challenges through a zero trust architecture. But it’s not one approach to ZTA, rather each component is taking a slightly different path to reach the same goal across the entire agency.

DHS is in a distinctive position when it comes to cybersecurity. It is both the chef and the diner.

Because of the Cybersecurity and Infrastructure Security Agency, DHS provides guidance, technical support and coordination across the government. And the components must implement what CISA and others ask of them and they are, maybe, held to a higher standard given the fact they sit within DHS.

The continuous diagnostics and mitigation (CDM) program is a perfect example of this. While CISA put similar agencies into groups, DHS was its own group, meaning it was charged with implementing CDM tools and capabilities ahead of most agencies.

In fact, agencies and CISA are close to completing the baselines for asset management and identity and access management, which are foundational pieces of a zero trust architecture, for all civilian agencies.

The CDM effort is but one example of how agencies have been moving toward this zero trust concept for some time. And to be clear, zero trust is not a technology or a tool, but a concept and framework that helps agencies and really all organizations protect systems and data. It moves the protections to the edge with the device and the user instead of the perimeter of a data center.

Shane Barney, the chief information security officer for the U.S. Citizenship and Immigration Services within DHS, said his agency started the move to zero trust more than five years ago, about the same time it started to move the cloud. That has led to USCIS leaning on identity and access management capabilities to manage its role based access for about 97% of all applications.

“We had a lot of these foundational pieces in place, and it became very evident that the zero trust model and architecture was really what we need to have, especially when given the cloud technologies and especially on the development front and the areas we are moving into. We started with some sort of base level assumptions. We went in with the idea that everything is dynamic in our environment, especially in cloud, and we’re going to the idea here is to permit the least amount of privileges possible, but still be able to accomplish the task or job at hand, and watch and verify everything, those were sort of our baselines,” Barney said during the discussion Strategies for a Zero Trust Architecture sponsored by Splunk. “Now, of course, we set up an official zero trust work group. But really, we want to take more of an agile approach to it from a security perspective, which means we start small, we fail early and fail often because that’s part of the process. But we fail forward and we do it again, repeat, learn, repeat, and rinse and do it again. We started out with tiny projects on which we’d be employing the zero trust principles.”

Barney said agencies need to think about what zero trust means. He said it’s actually about asset trust.

John Samios, the chief systems security officer for the Transportation Security Administration in DHS, said his agency is working across the five pillars of CISA’s zero trust maturity model—identity, devices, network, application and data.

“What we’re trying to do initially is get corporate buy-in. We’ve started an integrated product team (IPT) across all of TSA to make sure everybody really understands the scope of what we’re trying to do and what are the goals we’re trying to achieve. Then we can set milestones and set metrics that we can actually say, ‘we have successfully got this bar, let’s go to the next gate,’” Samios said. “I think we’re making some good progress in into doing that into developing that, and then from that, we come up with our plan and try to come up with timeframes of when we can reach these things.”

The IPT includes the CXO community as well as program managers, business owners and system owner, Samios said.

Craig Wilson, the director of identity credential and access management at the Federal Emergency Management Agency in DHS, said his agency is moving its identity and access management system to the cloud as part of its cyber and IT modernization effort. The FEMA enterprise cloud authentication bridging services (FECABS) is a software-as-a-service implementation that should be ready by the end of fiscal 2024.

“We already know what the state of play for radius migration is. We have systems that we’ve already done some minor modifications to and systems that have challenges,” he said. “We’re going to focus on those systems that are ready upfront, and then by that time, the others should be ready to go and bring them in there.”

Bill Wright, the senior director of North American government affairs at Splunk, said as each agencies advances down the zero trust path, they should keep in mind the real tenet of all cybersecurity is trust so they need to have the ability to identify all of their assets and then assess their trustworthiness across that ecosystem.

“In a zero trust environment, there’s a real need to have that granular, continuous visibility into every component, including real time risk scores and the infrastructure. Then, more importantly, the context to evaluate the trustworthiness of every device, user and ensure every network flow is authenticated and authorized,” he said. “The policies need to be dynamic and calculated from as many sources of data as possible. Those are the real challenges, I think, in pulling together all of these tools is getting the most out of that data that’s coming in.”

Learning objectives:

  • The move to zero trust
  • Tools for zero trust
  • The risk-based decision process

This program is sponsored by   

How to access the content: Please scroll down and re-enter the requested form fields in order for the webinar to appear at the top of the page.

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.

By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.

Comments

Featured speakers

  • Shane Barney

    Chief Information Security Officer, U.S. Citizenship and Immigration Services

  • John Samios

    Chief Systems Security Officer, Transportation Security Administration

  • Craig Wilson

    Director, Identity Credential and Access Management, Federal Emergency Management Agency

  • Bill Wright

    Senior Director, North American Government Affairs, Splunk