The Department of Health and Human Services is in the process of moving toward a zero trust architecture. Currently, the agency is collecting information on where it may be vulnerable and refining its approach to this new approach to security.
HHS undertook an exercise to identify systems and all the facets within the zero trust model, a painstaking process for each system. HHS then used the information to create a maturity model that it applied to identify where it may be falling short.
“We want to make sure that there’s not built in security compromises that we can identify from manufacturing to implementation,” said La Monte Yarborough, the chief information security officer at HHS. “We want to ensure that we’re weighing against our legacy technologies to ensure that they’re still, while they remain in service, capable of being patched appropriately, being updated appropriately and they can handle transforming into a zero trust paradigm.”
He said for each system, HHS must measure and manage the risks to both cybersecurity and mission areas as they implement zero trust.
“Zero trust, in a lot of ways, is a compilation of discrete activities that were being done already in some facet or form. Now, the exercise is to try to discern or evaluate how mature those processes are, and figuring out a way by which you can coalesce them in a manner that you could reasonably define as a zero trust architecture,” Yarborough said on Federal Monthly Insights — Zero Trust. “We refer to the system model and that helps us from a roadmap perspective to evaluate and assess where we are individually, and then evaluate the types of resources that we need to apply to move the dial. We go over scar tissue, lessons learned, etc., and we get the opportunity to identify any particular pain points that we could help each other out in moving forward.”
Yarborough said once his team figures out where there are gaps in zero trust coverage, they can devise a plan based on the challenges, whether it’s technology, personnel, funding or all of the above.
“That data is helpful for us because then we can begin to have the conversations on where we’re going to get those resources, and we can make the respective appeals to those who could potentially provide us those resources,” he said.
Additionally, he said HHS can lean on industry, particularly its cloud service providers, to take advantage of their inherent capabilities.
“It requires a certain level of understanding of the behavior of the cloud service provider. It requires being very specific in contract language and service level agreements with respect to the behavior of the cloud service provider,” Yarborough said.
Yarborough said the challenge HHS faces when it comes to zero trust is as much a culture change as a technology problem.
“People who do the same thing every day within the cybersecurity sphere look at it through a particular lens. You have to truly think differently in some ways to fully appreciate this new concept. And that might require some external eyes to come in and help facilitate our direction,” he told the Federal Drive with Tom Temin. “I think it would be a good idea to make room for the possibility of, perhaps, leveraging external talent, who comes in without a particular bias to the environment that these operators have operated in for years, just to make sure that the perspective is accurate.”
Like with any new initiative, educating the workforce remains a key factor in successfully moving to zero trust.
“I think along this journey we’re going to have to expect or provide some level of training because I think zero trust as a paradigm is also a mindset. We’re accustomed to doing things in certain ways. We’re accustomed to having access in the ways that we have them now, and they may change somewhat at the end of this journey. So it’s not only the technical things that we implement. It’s not only the logical things that we implement, but it’s our mindset, our perspective,” Yarborough said. “It’s a constant, dynamic kind of activity. When we hear that term [zero trust], I try to disabuse people of this notion that we’re starting from scratch and trying to build toward something.”
HHS is also being cautious on how to approach zero trust for non-human entities. Yarborough said artificial intelligence and machine learning technologies are powerful, but his concern is leveraging technology without violating copyrights and intellectual property rights.
“We’re doing our best to first appreciate the capacity of AI and ML technologies. So we’re trying to understand their capacity, their ability to help us do our work. And we’re still doing that discovery process or assessment on how available do we make these technologies — maybe not just to our technical folks, but to our everyday users,” Yarborough said. “We have to be mindful of what we can do to defend ourselves from those who will come after us, leveraging those technologies.”