Although adoption of zero trust is the biggest cyber shift forward in decades, it’s also a mindset challenge because both government and industry are now on j...
What excites me the most about zero trust is it’s really the most transformative strategy and thinking shift we’ve had in cyber in the last several decades. What I get excited about is it starts to bring several critical areas of the mission into focus.
Vice President and General Manager, Public Sector Worldwide, Intel
The Cybersecurity and Infrastructure Security Agency defines the nuts and bolts of an effective zero trust strategy as an agency taking a closer look at identity, devices, their network and environment, application workload and data.
Beyond the technical nature of a zero trust strategy, however, Cameron Chehreh, vice president and general manager for public sector worldwide at Intel, said an effective zero trust strategy must also include change management.
“What excites me the most about zero trust is it’s really the most transformative strategy and thinking shift we’ve had in cyber in the last several decades,” Chehreh said. “What I get excited about is it starts to bring several critical areas of the mission in focus.”
Chehreh said zero trust has created a “teaming spirit around cyber” and requires agencies to understand that cybersecurity is everyone’s responsibility — from IT to leadership and then the end user.
But for agencies to achieve an enterprisewide focus on zero trust, he said the cyber community needs to establish connections to the rest of the organization.
“We have to build the bridge to the end user to make sure that when we talk about cyber, we can make it digestible in layman’s terms,” he said. “It’s not that mission users don’t get it, or they don’t understand it, but we have to build that bridge and that vernacular so we can operate safely together.”
Although the concept of zero trust has been coming into focus for the last few years, Chehreh said the COVID-19 pandemic — and the remote working environment it created — forced agencies to think about key pillars of zero trust, including user devices and application access.
The conversations inside of IT and security organizations swiftly homed in on figuring out what people needed access to if they were be highly effective and also not put the government at risk. That became the priority, he said.
“For the longest time when we would give users access to the enterprise and to data, it was kind of an all-or-nothing thing,” Chehreh said. “Now we’re able to shape the user profile a little bit more, based on what their mission use or their mission operation is.”
Those efforts during the pandemic created new demands too. “There are complexities that arise from it, as you would well imagine,” he said. “But thankfully, the modernization of software and tools today is helping streamline that a bit. We’re not there yet, but we’re on a great path and the trajectory is correct.”
The pandemic era of cybersecurity has also demonstrated the value of exercising a “know before you go” approach, Chehreh said.
“Before you go set up a user, before you give someone access and let them have a device that creates the largest attack surface we have in the enterprise, make sure you know their role, the data, the applications and the things they need to be highly effective. Plan for the unpredictability of the network and connectivity, but ensure that the endpoint and the user are safe and they have what they need in the field,” he said.
An effective zero trust strategy requires agencies to balance between giving authorized end users access to the data they need and keeping that data secure from malicious actors.
“Governance plays a key role because it’s either cumbersome or it’s enabling. You really want to shift to the enabling piece. What I mean by that is leverage tech and automation to its fullest potential because what that allows you to do is enable governance in real time,” Chehreh said.
Effective governance also comes down to streamlining the process of managing and authorizing access to data.
“We are just swimming in an ocean of new data, but it’s unstructured. It’s unfiltered. It’s unvetted. Instead of us just storing oceans of data that have no value, find a way to determine what is valuable and what’s not. Get rid of what’s not, and then ensure you’re making decisions based on that,” he advised.
While technology helps organizations make zero trust a reality, Chehreh said that technology is only a piece of implementation, and “not really a silver bullet” to making zero trust happen.
“It’s more about the way we think, the way we operate. It’s really not about the technology, although the technology helps us automate and enhance how we execute on it,” he said.
While the federal government is moving toward making zero trust a reality, agencies are still running into several common hurdles.
Among them is finding better ways for government and industry to collaborate from an acquisition standpoint, Chehreh said.
“Zero trust I see as a journey, and we’ve been very challenged — even in the commercial segments — to understand how to measure success of a journey,” he said. “The government is brilliant at buying things and measuring that we have the things we’ve bought. They’re brilliant at measuring the success of how well those things are performing, but we have to remember that zero trust is a journey. What I mean by that, is am I operating more securely month over month.”
That’s a challenge for most people to understand, Chehreh continued, in part because this is an operational journey that will never end. “Unfortunately, it’s because the adversary never sleeps. We find that there are millions and millions of new exploits that we uncover each day, both signature- and nonsignature-based. Zero trust is one of those things you will have to be ever-vigilant with.”
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jory Heckman is a reporter at Federal News Network covering U.S. Postal Service, IRS, big data and technology issues.
Follow @jheckmanWFED
Vice President & General Manager, Public Sector Worldwide, Intel Corporation
