Building zero trust into agencies’ networks is on several IT modernization to-do lists through the federal government. But the term is so broad that it can often be misunderstood.
Mark Bunn, program manager for the Trusted Internet Connections (TIC) within DHS’ Federal Network Resilience Office, said the department has a large accreditation boundary, sometimes called “general support systems,” which can take up the entire entity. And that’s not narrow enough.
“The first step of that was with the HVA program, identifying what the high value assets are and where they are and what they are. A natural transition to that now is how do you protect those?” Bunn said on Federal Monthly Insights — Zero Trust. “Our piece is specifically on the communications between those different trust zones, and being able to capture any cyber-relevant information that’s inside of that traffic.”
Trust zones are not physical networks but rather concepts. A zone can have cloud, mobile and interactions between private and public-facing parts of the agency. They will narrow Bunn said part of TIC’s assignment was to clearly define what the word “trust” meant in a cybersecurity context as well as its criteria. But the move to a hybrid cloud for TIC will require those zone boundaries to change.
“What you have with a traditional network, is you do have a very clear boundary between ‘this is where my agency stops, and this is where the internet begins. This is where my agency stops and Internet 2 begins or other networks begin,” Bunn said to Federal News Network Executive Editor Jason Miller, on Federal Drive with Tom Temin. “We start talking about hybrid clouds, specifically, those boundaries go away. We start talking about software as a service as being an internal system, those boundaries go away again. And the big question we had is, well, if the boundary’s gone away, does the need to have a boundary focus program go away?”
Nothing personal: Zero Trust meant to stop cyber breaches before they start
TIC 3.0’s draft policy is out and Federal Chief Information Officer Suzette Kent said the final version is impending. Bunn explained how his team came up with use cases to draft the policy. These include factors such as email-as-a-service and remote user access. They looked at FedRAMP data from the General Services Administration to determine what top technologies agencies use and what gets the “biggest bang for the buck.”
“There’s two types of use cases. There are ones that are very, very agnostic and in general, just like the traditional TIC use case itself,” he said. “So you’ll see infrastructure as a service, obviously, software as a service, and platform as a service. So you’ll see those service models listed, just to have a real general — as far as other types of use cases we actually keep that as open ended as possible.”
Jeanette Manfra, assistant director for Cybersecurity for DHS’ Cybersecurity and Infrastructure Security Agency, said the federal government’s entire IT modernization effort has given agencies a chance to rethink how it architects its systems.
“Being able to operate in a place where, whether you call it a trust zone, or a zero trust network, but being able to build those architectures in those systems, to you know, build what — I like what Mark called a trust zone. And knowing you have certain elements in place to achieve that trust,” Manfra said. “If you’re thinking about systems where they have to be open, by their very nature, in order to do their job, in order to support your function, you’re going to have a different approach than a system that can be completely closed off.”
Manfra predicted zero trust would become a more common phrase a few years down the line. She said some great ideas have emerged around enterprise architecture, business processes and how technology supports that. But now the federal government wants to add cybersecurity to the mix.