Zero Trust Cyber Exchange: NASA’s Mike Witt, Christine Gex on intersection of RPA, cybersecurity

Given NASA’s sprawling network and the need to balance data access with cybersecurity, the space agency views automation as a foundational aspect of its zero trust strategy.

“Automation is the future. There’s just too many things happening on our network every day for the human analysts to go through, to analyze what’s happening — is this good, bad or indifferent, or whatever?” said Mike Witt, senior agency information security officer and chief information security officer...

READ MORE

Shape

Zero Trust Cyber Exchange: NASA

Automation is the future. There’s just too many things happening on our network every day for the human analysts to go through, to analyze what’s happening.

Given NASA’s sprawling network and the need to balance data access with cybersecurity, the space agency views automation as a foundational aspect of its zero trust strategy.

“Automation is the future. There’s just too many things happening on our network every day for the human analysts to go through, to analyze what’s happening — is this good, bad or indifferent, or whatever?” said Mike Witt, senior agency information security officer and chief information security officer for cybersecurity and privacy. Witt and Christine Gex, intelligent automation service lead at the NASA Shared Services Center (NSSC), detailed the space agency’s zero trust efforts during Federal News Network’s Zero Trust Cyber Exchange.

Every agency faces unique challenges and considerations as part of its zero trust strategy, and NASA is no exception.

“We’ve got things that are flying out in space that we’ve launched back in the ‘70s that are still out there. And that means, to catch that communication back to it, we’ve still got a lot of legacy infrastructure on our network that we’ve got to make sure stays properly isolated, so that no harm comes to them,” Witt shared. “When you start talking about bringing zero trust — new, modern cybersecurity technology in, having to plug into some of our legacy infrastructure — that’s the challenge around it. How do we integrate into some of our environments on our mission side, so that we have a zero trust design that meets what we’re looking for?”

NASA all in on microsegmentation

Witt said the agency’s zero trust strategy needs to balance NASA’s need to protect sensitive information with the agency’s role as a source of data for the public and research community. He said that underscores the agency’s need for network microsegmentation powered by automation.

“Prior to rolling out the software-defined architecture, we had to bascially treat to the highest level. When you lock everything down, because you’re protecting the intellectual property and you’re protecting those astronauts who are off-planet and stuff like that, that design does not fit well for our other scientists who need access to that low public data,” Witt said.

The goal, he said, is to balance secure access with ability for users to get the data they need to do their jobs, “whether it’s at a very secure level or a not-so-much secure level,” he said.

Bots and NASA cybersecurity

NASA has deployed attended and unattended bots for a range of back-office functions, including cybersecurity. Gex said that NSSC has about 11 unattended bots that run financial applications and help desk, human resources and procurement functions.

“Whenever we talk about automation from a user standpoint, we’re really just mimicking human activity, so we’re going to take on going through all those controls and those gates,” she said. “We’re assuming our bots are credentialed, they’re ready to actually do those activities, and they have access to actually pull down that data.”

NASA treats the credentialing of bots no differently than human users on the network, Witt said, adding that the agency’s use of robotics process automation (RPA) don’t introduce any additional risk to the agency’s network.

“Even though they’re bots, they’re still an identity on our network, just like I’m an identity, just like Christine’s an identity on our network,” he said. “Should something go wrong around that, we haven’t had any issue whatsoever with any of the bots yet. But they’re treated no different than any human user on our network, from a cybersecurity standpoint.”

Detailing bots for cyber duty

While NASA initially deployed bots to help with financial management tasks, Gex said RPA also can help empower cyber analysts.

“If you have manual efforts going on, we would look to automate that, where you could digitally find [something] faster. So really, it would be nice to have the bots actually execute and read those logs, and then go after what the analyst really needs to go after. To me, it’s like that 80/20 rule. They would spend their time on that 20% that could be a potential problem,” Gex said.

Witt said automation of zero trust and cybersecurity functions allows NASA to respond to potential threats in near-real time.

“As things are happening on our network, we’re not waiting on a human analyst or human incident response person to do that analysis and apply, if you will, the actual response to it. We’ve already got things that we know that we’re going to apply in advance when certain things happen, so we’re going to take advantage of the automation, so when those things are triggered, the playbook of how we respond to that is auto-triggered and is automatically done without any human interaction,” Witt said. “We’ll still have all the analysis around that, all the data collection around that, to go back and look at, if we need to at a later date. But that’s what we’re looking to do, is take advantage of a lot of our automated response on the security operations center side of the house or incident response side of the house.”

Speeding microsegmentation management thought automation

Witt said automation also supports microsegmentation on NASA’s network, which allows the agency to balance ease of access with maintaining a high level of security.

“We’re allowing remote connectivity into parts of our infrastructure, whether it be data, whether it be applications or understanding exactly how those systems are connecting,” Witt said. “We’re past the days of, ‘Is the username and password good?’ or ‘Is even the two-factor good?’ We’re getting a lot more signaling from the devices, how they’re configured.”

That level of automation, Witt added, helps NASA determine what level of access a user should have.

“It can be a full-blown, ‘Here’s your full connectivity. You can fully interconnect and download data to that device,’ or it can be … ‘You can interact with the application or with the data, but you cannot pull any of that data down whatsoever,’ ” Witt said.

NASA began working with the Federal CIO Council and the Department of Homeland Security on standing up a zero trust architecture before the Biden administration’s executive order.

The agency has submitted its zero trust plan to the Office of Management and Budget and DHS for review. Even so, Witt said he still considers the agency in the initial phase of its zero trust journey.

“We’re still in the early stages, but we’re not on day one or week one of this journey. It’s going to be a multiyear journey,” Witt said.

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.

Featured speakers

  • Christine Gex

    Intelligent Automation Service Lead, NASA Shared Services Center

  • Mike Witt

    Senior Agency Information Security Officer and CISO for Cybersecurity and Privacy, NASA