Insight by AWS

Zero Trust Cyber Exchange: AWS’ Nick Miller on digital acquisition approaches required to achieve 4 zero trust principles

For agencies and companies alike, security is no longer a binary choice of protecting the network or protecting the person.

That’s a fundamental truth when it comes to zero trust, said Nick Miller, U.S. federal team lead for AWS Marketplace at Amazon Web Services. It’s at the core of four principles that AWS uses to help the organizations that it works with evolve to zero trust, he said during Federal News Network’s Zero Trust Cyber...

READ MORE

Shape

Zero Trust Cyber Exchange: AWS

Your approach to zero trust needs to be applied, perhaps differently, depending upon the organizational value of the system and data that you’re trying to protect.

For agencies and companies alike, security is no longer a binary choice of protecting the network or protecting the person.

That’s a fundamental truth when it comes to zero trust, said Nick Miller, U.S. federal team lead for AWS Marketplace at Amazon Web Services. It’s at the core of four principles that AWS uses to help the organizations that it works with evolve to zero trust, he said during Federal News Network’s Zero Trust Cyber Exchange.

Principle 1: Decrease reliance on the network location

“The best security doesn’t come from making this binary choice between identity centric and network centric tools, but rather effectively using them in combination,” Miller said.

Under the concept of zero trust, organizations are combining the best pieces of the old model of defense in depth focused on the network perimeter with newer models using role-based access control that focus on the device and the user.

Principle 2: Define the context of the use

For a lot of agencies, zero trust can mean different things at different times and in different contexts. Understanding how, when and why data is used is the second principle.

“Nuance matters in this conversation, and arguably one of the key reasons around this ambiguity is that the term [zero trust] encompasses many different use cases. It encompasses the edge. It encompasses the centralized network,” he said. “For us, those use cases share only the fundamental technical concept of diminishing the security relevance of the network location or boundary.”

Principle 3: Identify the value of the data

It’s also important that a zero trust strategy take into account the organizational value of the system and data being protected, Miller said. That’s the third principle.

“That’s a really important concept,” he said. “Your approach to zero trust needs to be applied, perhaps differently, depending upon the organizational value of the system and data that you’re trying to protect.”

Over the next 15 months, by the end of fiscal 2024, agencies will be working toward that secure architecture and achieving the 19 objectives laid out in the Office of Management and Budget’s zero trust strategy.

Agencies will have to figure out how to integrate legacy technology, much of which is in on-premise data centers and new technology in the cloud.

Principle 4: Keep innovating

To do that, Miller said agencies have to consider how to drive continuous innovation, Principle 4.

The goal is to focus on a specific problem that an organization is trying to solve, and approach that with fresh ideas and new tools, Miller said. Those new tools must ensure organizations can build faster, more flexible, more scalable and more secure systems.

“Our government customers need to have less work when building and deploying and rapidly iterating to build and deliver secure systems,” he said. “Speed is really important. But increasingly, our customers are asking us about secure architectural patterns that fall under this banner of zero trust.”

They also must do it while working within the federal acquisition process and budgetary challenges, he acknowledged.

“You have to be able to implement this digital acquisition,” he said. “Our methodology provides governance” balanced against speed and compliance demands, he said. “We have to do that in a way that ensures fair and open competition and allows for compliance. I think technologies like cloud marketplaces and native US marketplace can help achieve those objectives.”

Miller said AWS Marketplace’s relationship with independent software vendors (ISVs) also can help agencies move toward the secure architectures required under zero trust.

For instance, the ISVs that AWS partners with have invested in tools and capabilities to meet zero trust requirements and achieve certifications like Impact Level 4 or 5 for the Defense Department, he said.

“The AWS Marketplace is a really large digital curated catalog that helps our customers in cloud buying by deploying government third-party software,” Miller said, adding, “Increasingly, I’m talking to government customers about how do they use that to drive innovation in the federal space?”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.