Zero Trust Cyber Exchange: FDIC’s Stephen Haselhorst on building ZT from scratch

Agencies working to establish zero trust architectures must approach zero trust as a definitive program, not as a tack-on to ongoing cybersecurity efforts. That’s a principal lesson Stephen Haselhorst said he learned in his 20 years working for the Defense Department.

Today, he’s the zero trust program manager for the Federal Deposit Insurance Corporation, a job he began in April after serving as chief technology officer for the Air Combat Command.

“The main thing is...

READ MORE

Shape

FDIC’s Stephen Haselhorst on building ZT from scratch

When we talk about zero trust, we actually talk about, instead of preventing compromise, we talk about assuming compromise. So how are you going to change your architecture to defend against potentially being compromised?

Agencies working to establish zero trust architectures must approach zero trust as a definitive program, not as a tack-on to ongoing cybersecurity efforts. That’s a principal lesson Stephen Haselhorst said he learned in his 20 years working for the Defense Department.

Today, he’s the zero trust program manager for the Federal Deposit Insurance Corporation, a job he began in April after serving as chief technology officer for the Air Combat Command.

“The main thing is to make sure that you’re fully organizing yourself around zero trust, that you’re not operating as a pickup game,” Haselhorst said at Federal News Network’s Zero Trust Cyber Exchange. People should not be working on it part-time while also doing other things, he said.

“Before you get into all the cool technology and the kind of stuff that everybody loves, you really have to focus on establishing your program, establishing your organization,” Haselhorst added.

Establishing a full-blown zero trust team

A discrete zero trust program will be more effective in addressing the pillars of zero trust as defined by the Cybersecurity and Infrastructure Security Agency. At FDIC, the zero trust program lives in the chief information security officer’s organization, and Haselhorst reports to the CISO. But as its own line of business, Haselhorst’s group has more ability to communicate and collaborate with groups across the agency that have a stake in zero trust, which is essentially everyone.

Outward communications are essential to the zero trust program, he said. Why? Because establishing a zero trust network architecture — which, after all, is required for all federal agencies by the president’s executive order on improving cybersecurity — will likely require new procedures and technology approaches by the existing cybersecurity operators.

“You’ve got to work with them to try to understand what the future holds, where we’re going, what we’re trying to do,” he said. “But what I find for the most part is, people are extremely excited about zero trust once they understand it, once they start capturing what they need to do.”

Another value in the programmatic approach to zero trust, Haselhorst said, is how it ensures the effort will have a champion for the funding it needs, whether resources are being sought to hire subject matter experts or acquire technology tools.

Pillars of zero trust

Haselhorst pointed to the National Institute of Standards and Technology’s Special Publication 800-207 as a foundational document for developing the pillars or tenets of zero trust.

Initially, agencies should focus on identity management, he advised.

“You need to have a full understanding of all your users, whether they’re internal or external, in somewhat of a centralized repository,” Haselhorst said.

Multifactor authentication (MFA) comes next. Most agencies are fairly well along in their use of MFA as the best-practice approach for doing away with passwords, Haselhorst said. MFA uses a unique identifier associated with each device as one factor and a biometric — such as facial recognition — as the other.

Government-issued devices give administrators the most control. But that doesn’t rule out having to manage bring-your-own devices, Haselhorst said. To reduce risk, “I can grant access from a BYOD device to a limited set of data or a limited set of resources,” he said.

Still another important pillar in zero trust involves microsegmentation of networks.

“That’s not talked about enough,” Haselhorst said. “Segmentation of your network is essential.” Zero trust shifts from mode of compromise prevention to assumed compromise, he explained, adding that zero trust seeks to protect data ultimately. Microsegmentation helps isolate any presumed attacks so they don’t spread throughout the enterprise environment.

Visibility matters in zero trust

Zero trust also requires visibility of all of the network elements across the enterprise. Ensuring that is more easily said than accomplished, given the multiple networks and commercial cloud infrastructures that comprise the typical federal infrastructure today, Haselhorst said.

“Security teams traditionally have focused on that perimeter on the enclave,” he said. “We kind of call it the choke point, or the bottleneck, and you can see everything coming in and out, and you can monitor it.”

Now, activity is happening on premise, in the cloud, and in whatever home or coffee shop in which an employee happens to be working. The notion of a solid perimeter network has all but disappeared, Haselhorst said.

“You need to rethink your visibility, so that you have the right visibility or the right data points and telemetry that you’re getting from every one of those edge points,” he said.

With the right telemetry, the cyber team can monitor data across an organization, he said. “The data is what we all seek to protect. That’s the whole point of zero trust.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.