Momentum is building for the shift to zero trust. The Cybersecurity EO, OMB strategy and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Mat...
The federal government is accelerating the move toward zero trust security. As part of the President’s Executive Order for Improving the Nation’s Cybersecurity, agency decision makers should by now have developed a plan to implement a zero trust architecture (ZTA), incorporating migration steps laid out by the National Institute of Standards and Technology.
In a recent memorandum, the Office of Management and Budget released its updated Federal Zero Trust Strategy in support of Executive Order 14028 to help agencies build upon those plans. The goal of this strategy is to move agencies towards a shared baseline of early zero trust maturity. This transition will be a multi-year journey for agencies, and the federal government will learn and adjust as new technologies and practices emerge, according to OMB.
Zero trust represents a dramatic shift in how federal agencies will secure infrastructure, networks and data, from ‘verify once at the perimeter’ to continual verification of each user, device, application and transaction. As the concept of zero trust continues to evolve, there are still misconceptions about this cybersecurity framework that need to be dispelled.
Here are some of the biggest misconceptions and how agencies might address them:
The biggest misconception is that agencies can go out and buy zero trust. Zero trust “is not just something I can flip the switch on overnight and I can go implement it in my network,” Patrick Grimsley Chief Information Security Officer with U.S. Transportation Command (TRANSCOM) at Scott Air Force Base, Illinois, said during the Fal.Con for Public Sector virtual conference. “Never trust, always verify” is the foundation on which it is built. However, zero trust is a methodology that impacts how users, network administrators and cybersecurity teams move through and handle operations on networks. The biggest challenge will be getting buy-in from everyone. The government must take a holistic business and environment approach to effectively implement zero trust cybersecurity principles.
In the current threat environment, federal agencies can no longer depend so heavily on perimeter-based defenses to protect critical systems and data. With the migration to the cloud and move to mobility, castle walls and the perimeter no longer exist. Security technology must be closer to the data and the user. Meeting this challenge will require a major paradigm shift in how agencies approach cybersecurity. Many of the network-based security tools were effective when the operating conditions were mostly static and when the data and users were on premise, but that is not the world we live in today. As data and users are spread everywhere, some of the legacy security solutions agencies have been relying on for decades or more will not be as effective going forward.
3) Zero trust can be assembled in a piecemeal fashion.
There are emerging solutions that address different aspects of zero trust, such as identity and access management, multifactor authentication and endpoint detection and response, but agencies must take a holistic approach toward the implementation of security controls and technology. Acceleration toward a zero trust cybersecurity posture will undoubtedly be hampered if agencies are implementing tools without considering how they interact within an ecosystem of security and management solutions. A piecemeal approach doesn’t give security teams visibility across different zero trust solutions nor does it allow them to take advantage of the collaborative functionality of those tools. What’s more, a piecemeal approach can contribute to suboptimal user experiences while also introducing unnecessary complexity and cost.
4) Zero trust can be implemented without training the workforce.
Zero trust changes the way administrators manage and maintain networks. Traditionally, admins are used to having network privileges all the time. Now there is a switch to administration on-demand where admins get tokens that give them privileges for specific tasks for a certain amount of time. Maintaining that level of credential access is a difficult task. Therefore, agencies must develop plans for training, specifically for system and network administrators as they are going to bear the brunt of the workload.
It is not easy to implement zero trust and the policies and enforcement requirements creates more work for them. Does your agency have the right resources internally to support implementing zero trust? If not, agencies must go out and acquire access to those skilled resources.
Making zero trust a reality
According to Mark Gamis, head of Booz Allen Hamilton’s Federal Civilian Cyber business, who also spoke at Fal.Con for Public Sector, agencies should focus on strategy, accountability and urgency. With strategy, agencies need to baseline where they currently stand against a “to be architecture” for zero trust. There are different levels of maturity, and each one has a different cost envelope and risk levels associated with them. It is important for an organization’s leadership to know their destination so they can do a current state assessment and then do a multi-year plan aligned to evolving to a zero trust architecture.
Accountability means that zero trust cannot be a side project. Implementing zero trust principles must be “as urgent as compliance reporting,” and it must be resourced effectively. Urgency means that agencies cannot “kick the can down the road.” Zero trust must be a high-priority initiative. Agency leaders must realize this will be a multi-year endeavor, and as a result they must set milestones and hold people accountable. Plus, zero trust architecture, capabilities and principles must be tested within a test environment or lab before putting the concept into production.
Momentum is building for the shift to zero trust. The Cybersecurity EO, OMB strategy and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model form a roadmap for agencies to achieve specific zero trust goals by the end of fiscal year 2024. It’s time to dispel the misconceptions and start moving forward with impactful zero trust strategies.
Top four zero trust misconceptions
Momentum is building for the shift to zero trust. The Cybersecurity EO, OMB strategy and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Mat...
The federal government is accelerating the move toward zero trust security. As part of the President’s Executive Order for Improving the Nation’s Cybersecurity, agency decision makers should by now have developed a plan to implement a zero trust architecture (ZTA), incorporating migration steps laid out by the National Institute of Standards and Technology.
In a recent memorandum, the Office of Management and Budget released its updated Federal Zero Trust Strategy in support of Executive Order 14028 to help agencies build upon those plans. The goal of this strategy is to move agencies towards a shared baseline of early zero trust maturity. This transition will be a multi-year journey for agencies, and the federal government will learn and adjust as new technologies and practices emerge, according to OMB.
Zero trust represents a dramatic shift in how federal agencies will secure infrastructure, networks and data, from ‘verify once at the perimeter’ to continual verification of each user, device, application and transaction. As the concept of zero trust continues to evolve, there are still misconceptions about this cybersecurity framework that need to be dispelled.
Here are some of the biggest misconceptions and how agencies might address them:
Find out how security operations centers continue to evolve to stay ahead of cyberthreats by collaborating closely with industry to staff their operations and modernize their toolkits in our new ebook, sponsored by Maximus. | Download today!
1) Agencies can go out and buy zero trust.
The biggest misconception is that agencies can go out and buy zero trust. Zero trust “is not just something I can flip the switch on overnight and I can go implement it in my network,” Patrick Grimsley Chief Information Security Officer with U.S. Transportation Command (TRANSCOM) at Scott Air Force Base, Illinois, said during the Fal.Con for Public Sector virtual conference. “Never trust, always verify” is the foundation on which it is built. However, zero trust is a methodology that impacts how users, network administrators and cybersecurity teams move through and handle operations on networks. The biggest challenge will be getting buy-in from everyone. The government must take a holistic business and environment approach to effectively implement zero trust cybersecurity principles.
2) Legacy security technology can’t protect today’s critical systems.
In the current threat environment, federal agencies can no longer depend so heavily on perimeter-based defenses to protect critical systems and data. With the migration to the cloud and move to mobility, castle walls and the perimeter no longer exist. Security technology must be closer to the data and the user. Meeting this challenge will require a major paradigm shift in how agencies approach cybersecurity. Many of the network-based security tools were effective when the operating conditions were mostly static and when the data and users were on premise, but that is not the world we live in today. As data and users are spread everywhere, some of the legacy security solutions agencies have been relying on for decades or more will not be as effective going forward.
3) Zero trust can be assembled in a piecemeal fashion.
There are emerging solutions that address different aspects of zero trust, such as identity and access management, multifactor authentication and endpoint detection and response, but agencies must take a holistic approach toward the implementation of security controls and technology. Acceleration toward a zero trust cybersecurity posture will undoubtedly be hampered if agencies are implementing tools without considering how they interact within an ecosystem of security and management solutions. A piecemeal approach doesn’t give security teams visibility across different zero trust solutions nor does it allow them to take advantage of the collaborative functionality of those tools. What’s more, a piecemeal approach can contribute to suboptimal user experiences while also introducing unnecessary complexity and cost.
4) Zero trust can be implemented without training the workforce.
Zero trust changes the way administrators manage and maintain networks. Traditionally, admins are used to having network privileges all the time. Now there is a switch to administration on-demand where admins get tokens that give them privileges for specific tasks for a certain amount of time. Maintaining that level of credential access is a difficult task. Therefore, agencies must develop plans for training, specifically for system and network administrators as they are going to bear the brunt of the workload.
It is not easy to implement zero trust and the policies and enforcement requirements creates more work for them. Does your agency have the right resources internally to support implementing zero trust? If not, agencies must go out and acquire access to those skilled resources.
Making zero trust a reality
According to Mark Gamis, head of Booz Allen Hamilton’s Federal Civilian Cyber business, who also spoke at Fal.Con for Public Sector, agencies should focus on strategy, accountability and urgency. With strategy, agencies need to baseline where they currently stand against a “to be architecture” for zero trust. There are different levels of maturity, and each one has a different cost envelope and risk levels associated with them. It is important for an organization’s leadership to know their destination so they can do a current state assessment and then do a multi-year plan aligned to evolving to a zero trust architecture.
Accountability means that zero trust cannot be a side project. Implementing zero trust principles must be “as urgent as compliance reporting,” and it must be resourced effectively. Urgency means that agencies cannot “kick the can down the road.” Zero trust must be a high-priority initiative. Agency leaders must realize this will be a multi-year endeavor, and as a result they must set milestones and hold people accountable. Plus, zero trust architecture, capabilities and principles must be tested within a test environment or lab before putting the concept into production.
Momentum is building for the shift to zero trust. The Cybersecurity EO, OMB strategy and the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model form a roadmap for agencies to achieve specific zero trust goals by the end of fiscal year 2024. It’s time to dispel the misconceptions and start moving forward with impactful zero trust strategies.
Read more: Commentary
James Yeager is vice president of public sector and healthcare for CrowdStrike.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
White House 2023 budget request prioritizes more staff for CISA, funding for zero trust security measures
CISA updating cyber programs to align with White House zero trust strategy
DHS expands zero trust without adding end user challenges