Zero Trust Cyber Exchange: RSA
A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users, but for the people doing that administration.
Steve Schmalz
Field Chief Technology Officer for Federal, RSA
Agencies face clear mandates from the Biden administration to make zero trust a priority, but some still might not know where to begin with implementation. That’s OK because the government has some good foundational materials, offered Steve Schmalz, field chief technology officer for federal at RSA.
Every agency’s zero trust adoption will vary in the particulars, but Schmalz said the National Institute of Standards and Technology’s SP 800-207 on zero trust architectures serves as a foundational guide for achieving the directives in the president’s executive order.
In fact, RSA uses NIST SP 800-207 as a guide to help its customers meet their zero trust goals, Schmalz said during Federal News Network’s Zero Trust Cyber Exchange.
“It very quickly gets to the core of what zero trust means when you’re implementing zero trust. It means that the place where you make those decisions about who gets access to what, where you make those policy decisions, needs to be as close to the resource as possible,” he said.
There is no zero trust checklist
While NIST SP 800-207 serves as a common foundation for agencies to develop a zero trust strategy, Schmalz said each journey to implement these new cyber objectives will look different.
“Sometimes we fall into the trap of thinking one size fits all. And if you’re looking at a zero trust environment, it may be that in certain situations, getting access to some legacy resource, you just don’t have all the options for authentication. You need to be flexible and you need to use something that fits that particular environment,” he said.
A successful zero trust framework ensures networks provide the right access to the right people, while also maximizing security by providing insight into anomalous activity, Schmalz said.
“You need to be able to monitor that network. You need to be able to take quick actions if you see anything going wrong,” he said. “It doesn’t really matter how well you authenticate an individual if that individual gets access to something they shouldn’t have access to. You have to make sure that in the back end, you make sure to decide who should have access to what. You put the governance around determining what people are seeing what they should see.”
There’s also no singular technology approach
Agencies need to have the right technology infrastructure in place to make zero trust a reality too. Schmalz said that cloud services can offload a lot the work organizations have to do to keep their authentication and access management infrastructure up and running.
“A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users but for the people doing that administration,” he said. “That allows the security people to do the job they should be doing, which is to make decisions on what authentication should be used in what situation, to monitor the networks, to put that identity governance in place. The cloud is extremely important, as long as the cloud is implemented in a way that meets the organization’s security posture.”
The governments, cloud security authorization process — Federal Risk and Authorization Management Program (FedRAMP) — enables agencies to buy cloud services from a marketplace of trusted solutions.
“FedRAMP was built for this very situation. It basically says, ‘Look, if we’re going to have these service providers providing functionality to agencies, we need to find a way to make sure that the cloud security posture matches the FISMA posture for that government agency,’ ” Schmalz said.
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.