Education Dept sees data as building blocks for zero trust in telework environment

Agencies have taken cautious steps toward reopening facilities in states loosening their coronavirus pandemic restrictions, but the Trump administration’s guidance on reopening the federal government relies on continued use of telework for at least the first two phases.

While agencies continue to maximize their use of telework during the pandemic, and have improved their IT infrastructure through funding under the CARES Act, an increase in remote traffic has also raised concerns about network security.

Steven Hernandez, the chief information security officer at the Education Department, said the agency has been “tremendously productive” with a workforce that has largely worked from home, despite a rollback in the agency’s telework policy prior to the pandemic.

“We’re looking at some of the qualitative metrics, and we’ve been more productive during the COVID situation than almost any time in the past,” Hernandez said last week at a webinar hosted by Federal Computer Week.

Advertisement

To support a governmentwide surge in telework traffic, the Cybersecurity and Infrastructure Security Agency last month rolled out interim guidance for its Trusted Internet Connections (TIC) 3.0 program, which provides security capabilities for remote federal employees securely connecting to private agency networks and cloud environments.

But the increase in remote traffic has also built the case for agencies moving toward a zero trust model for network security.

At the federal level, the National Institute of Standards and Technology has worked with the Federal CIO Council on a zero-trust working group. NIST in February also released Special Publication 800-207, which sheds light on how agencies should start deploying zero trust.

But in order to roll out zero trust to agencies, Hernandez said agencies need to build trust in their vendors.

“Part of the trade-off in the leveraging cloud solutions and other outsourced solutions is we provide a certain amount of trust with our vendors, that they’re going to keep us safe and that they’re also going to advance their solutions,” Hernandez said. “Our side of that equation is we have to keep up as well, and when we do that, it’s great, because there’s two opportunities there: One, we keep up to date and with the current software and technologies, but two it gives us an opportunity to also make sure that as new interfaces and applications become available to support things like zero trust architectures, we take advantage of those situations.”

While zero trust remains an aspirational goal for much of the federal government, Hernandez said improvements in machine learning, robotic process automation and artificial intelligence at a lower cost has reduced the barrier to entry for zero trust.

“One of the foundational pieces of zero trust is the more data you have, the better you understand it. The more history of data you have, the better decisions your automation can make,” Hernandez said.

But in order to build out the “trust engine” that allows users to access secured agency networks, Hernandez said chief data offices and the agency’s general counsel should have a seat at the table.

“You’re going to need your chief data officer at the table because they’re going to have a lot of data around the mission space that you’re going to find very interesting, and they probably have a lot of interest in your data as well, so that’s a necessary relationship that has to be there. You need to have someone from your general counsel office there at the same time,” he said. “Some of the data you’re going to want may have certain protections, and you may need to do things like update your system of record notice and you need to make sure that you’re following, for example, the Privacy Act, to make sure that folks understand how their information may be used.”

Building the data foundation necessary for zero trust also depends on collaboration with the chief human capital officer and data privacy officials. Hernandez said those conversations should include access to data sets such as time and attendance records.

Those records, he said, could help weed out anomalous network activity, such as users logging in from different locations because they’re on official travel or vacation.

“If you can get that data, it becomes a very robust set of information that you can leverage to start looking at user behavior,” Hernandez said.

Having access to a more robust set of data, he added, could also prove useful in mitigating insider threats.

“We have to think more broadly about where we source our data, especially around the behavior of the user,” he said. “One of the more nefarious ones: what about a poor performer angry with the organization [and] didn’t like his last performance review? We know that, and then all of a sudden, we notice he has a lot of data flowing out of his device. Those two together, probably a high-risk situation, the control plane should respond — let’s throttle back on that exfil until we can figure out what’s happening.”