Why agencies must move beyond Pillar 1 of zero trust

This is the fourth article in our series, The Power of Technology.

Have agencies been too fixated on Pillar 1 of the government’s Zero Trust Maturity Model: identity. Over the last year, the focus has led to important work on identity and access management. But have these efforts — despite the best intentions of the Cybersecurity and Infrastructure Security Agency, National Institute of Standards and Technology, and Office of Management and Budget — been at the expense of securing the broader enterprise in a hybrid world?

“It’s important to start focusing on the other pieces in conjunction with the identity piece,” said Don Bailey, senior enterprise solutions architect for VMware, during a discussion with Tony Celeste, executive director and general manager for Ingram Micro Public Sector, for the The Power of Technology series.

To do that, VMware emphasizes focusing on automation coupled with network visibility and analytics, Bailey said. “Identity, of course, was the first one people took a look at because that’s critical. Controlling access to your resources is critical. But there are the other pieces.”

The threat from within

Celeste pointed to the increased complexity of the infrastructure now managed by most agencies because of what he called the disaggregation of technology coupled with the changing dynamic of where people now work, the tools that they use and the explosion of devices — the Internet of Things.

“All of those things have come together and resulted in an increase in the speed of innovation and adoption,” he said. “And then, of course, the other critical component that you need to look at is the person, the individual — how we use that technology. Probably the biggest threat is us to ourselves, the insider threat.”

Bailey agreed and noted that with an insider threat, whether intentionally or not, someone has circumvented the identity management system. It’s a chief reason, he added, that VMware encourages agencies to focus on gaining better visibility across the enterprise. “The notion of incorporating artificial intelligence in your visibility, in your automation tools and in your network remediation tools for security and endpoint protection, and things like that, is absolutely critical,” he said.

Better tech, but better processes and workflows too

Another critical challenge is continuing to deliver federal services while also revamping technology and moving toward zero trust. Both Celeste and Baily acknowledged that it’s something that agencies struggle with managing.

For starters, it’s critical that agencies focus less on modernizing and more on transforming — particularly with an aim toward adopting an enterprise security posture versus a network one, Celeste suggested.

“Just modernizing the technology — it’s cheaper, faster, more compact, maybe more reliable,” he said. “But we have to transform how we’re using it in the delivery of the mission. Because if we don’t transform, then basically we could just be automating a bad process. We’re accelerating the speed at which an adversary or a threat can get access to the data we’re trying to protect. And we don’t want to do that.”

It’s possible to lean into the cloud and into containerized approaches to refreshing hardware to address that challenge, Bailey said. He noted that agencies can do some of this work in parallel, maintaining legacy systems as they build up new hardware and cloud native infrastructure elements using newer technologies, like Kubernetes, to manage change dynamically on their networks.

“Once they have those [new environments] stood up and going, then it’s a matter of transitioning over,” Bailey said. “Then, it becomes a matter of moving workloads.”

That way, it’s not an all-or-nothing proposition, which is essentially impossible for most government agencies. Agencies can update components and functions of systems, not an entire system. This means that government organizations can get to a place where they can update at runtime, Bailey said. “Your end users have no idea that you’ve just swapped out that function for a better version of it.”

Remember the three-legged stool

Despite growing cyberthreats and attempted attacks, agencies have an opportunity to improve security and services if they focus on more than the technology, Celeste said. “Opportunity begins with a change in mindset.”

Both government and industry must create a culture that establishes the idea that everybody has an ownership stake in securing and protecting data, he said. “It’s making sure that everybody is playing a role in it.”

Bailey added, “Step one is to make sure you’re always having in mind the people, processes and technologies, not just the technology — making sure that you’re doing the right thing every step of the way.”

View VMware’s products available via Ingram Micro’s Xvantage page here.

To read more articles in The Power of Technology series, click here.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.