Insight by LookingGlass

Federal Housing Finance Agency’s looks to SOAR on its zero trust journey

For the Federal Housing Finance Agency, the journey toward a zero trust architecture started with looking at what was missing.

The White House released the federal zero trust strategy in late January. Ralph Mosios, the chief information security officer at FHFA, said one of the first things he did was brief his leadership on the directive and its ambitious goal to adopt zero trust security processes by the end of fiscal 2024.

“They gave me...

READ MORE

For the Federal Housing Finance Agency, the journey toward a zero trust architecture started with looking at what was missing.

The White House released the federal zero trust strategy in late January. Ralph Mosios, the chief information security officer at FHFA, said one of the first things he did was brief his leadership on the directive and its ambitious goal to adopt zero trust security processes by the end of fiscal 2024.

“They gave me the funding to investigate these areas,” Mosios said. “I was very fortunate since this request was outside of a normal budget process, and I didn’t have the luxury to wait until the following year to start the process.”

Mosios tasked an independent consultant with conducting a “zero trust gap analysis” for the agency based on CISA’s zero trust maturity model. The model is organized around five “pillars” in identity, devices, network, applications, and data.

The analysis determined one area where FHFA could improve is by adopting a security orchestration, automation and response, or SOAR, process.

“The objective of SOAR is to streamline security operations,” Mosios said. “As a result of some of these zero trust projects, I expect there’s going to be a lot more network traffic generated as a result of continuously authenticating these users and devices. The more that you can automate, the faster you can respond.”

He referenced IBM’s 2022 “cost of a data breach” report, which found the average time to identify and contain a breach was 277 days, a reduction of 10 days from the previous year.

“The overall average time to identify and contain a data breach must go down,” Mosios said. “I know I’m oversimplifying this issue, but 200-plus days is excessive, and we need to do something about that.”

Agencies are ultimately seeking greater “visibility” into what’s happening on their networks through the zero trust strategy, as well as related directives, like the Office of Management and Budget’s August 2021 memo directing agencies to adopt improved logging capabilities.

“We have to capture more log events and retain those logs for much longer periods,” Mosios said. “And the goal is to provide better visibility into the network and be able to respond to cyber threats much faster.”

The zero trust model holds the promise of helping agencies detect and contain cybersecurity incidents faster.

“It’s going to better protect federal networks,” Mosios said. “And more importantly, it’s going to secure the vast amount of data that resides on those networks. I also envision there will be shorter incident response and breach containment times.”

Ultimately, zero trust will be a “journey, not a race,” Mosios said. Still, agencies like FHFA are acting quickly to meet some of the targets in the federal zero trust strategy. And while new tools and security techniques will be important, Mosios said true zero trust adoption will require a cultural shift, as well.

“Sometime in the not too distant future, our end users may have to change the way they do business,” Mosios said. “We’re going to have to continuously authenticate these users and these devices. Right now, a user logs in through the office or through a virtual private network. So they’re going to have to probably re-authenticate to the network much more often than they have done in the past. That’s just an example of how I think they’re going to have to change the way they do some of their business. And maybe they have to log in or authenticate using a different type of device that they normally don’t use today.”