The federal zero trust strategy is clear: Implementing the new architecture is not solely the job of CISOs and sysadmins. It will require a cross-discipline tea...
A lot of times people think they have to go out and buy a zero trust solution. … Usually, it takes a lot of the tools, techniques and functionality that they have in their enterprise today.
Regional Vice President of Systems Engineering for Public Sector, Forescout Technologies
If there’s one message that cybersecurity experts have when it comes to zero trust, it’s that you can’t buy it “in a box.”
The shift away from a perimeter security approach to zero trust won’t involve any one technology product, but the architecting of several well-known cybersecurity techniques and approaches, said Tim Jones, regional vice president of systems engineering for public sector at Forescout Technologies.
“A lot of times people think I have to go out and buy a zero trust solution,” Jones said during Federal News Network’s Zero Trust Cyber Exchange. “That’s not the case. Usually, it’s taking a lot of the tools, techniques and functionality that they have in their enterprise today, and maybe bending and weaving them a little bit differently, to start to line up and accomplish some of those mission critical components.”
The approach cuts across distinct areas like identity and access management, devices, and data security. The all-encompassing concept necessitates the involvement of a high-level governance team that can bring together the different pieces of zero trust into a coherent whole, he advised.
“That governance team usually has some level of position or prioritization as to who can make that determination that we’re going to allow for this system to be turned on, or we’re going to give these groups this level of access to those systems in those services,” Jones said. “It’s figuring out kind of who is going to be ultimately responsible, and then how we’re going to make sure that we’ve implemented the best-of-breed approach as we start to automate and start to implement some of the different tools.”
The White House’s zero trust strategy makes it clear that it won’t be up to solely the chief information security officers and system administrators to implement the new security architecture. It specifically directs chief data officers to work with their CISO counterparts to, for instance, develop a zero trust security guide for their agencies.
The zero trust concept pulls in different mission owners, ranging from security professionals to application development teams.
“It does take some stringing together of those teams,” Jones said. “Sometimes, some of those teams are a little bit at direct odds with each other.” An agency will need to make sure that its teams understand that the common goal is to protect data resources through a zero trust model for the entire organization, he said.
He pointed to literature and independent evaluations of zero trust to help convince any wary system or mission owners of the approach’s efficacy and value.
For instance, in 2020, the National Institute of Standards and Technology published SP 800-207, which lays out a systemic approach to a zero trust architecture. This May, the agency also published a new cybersecurity white paper, “Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators,” that further connects the security concept to NIST’s well-trodden Risk Management Framework.
“Access to data doesn’t need to be restricted or constrained,” Jones said. “It just needs to be protected and needs to be evaluated, and it needs to be re-adjudicated. That’s what zero trust is trying to do. It’s trying to say, ‘Hey, we’re not going to shut these services and functionality off. We just need to strengthen some of the security controls and our approach to allowing for that connectivity back into the system.’ ”
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED
Regional VP of Systems Engineering for Public Sector, Forescout Technologies
