Federal technology staffs often take one of two paths to zero trust: Some start with the cybersecurity tools they have in place and then integrate them into a zero trust architecture. Or they make what Andrew Harris, public sector chief technology officer at CrowdStrike, calls a misstep by “trying to reinvent the entire wheel, not starting where they are.”
That misstep also often results in a “massive procurement, acting like you can buy all of these things all at once,” Harris said during Federal News Network’s Cyber Leaders Exchange 2023.
We asked Harris to share tips on how agencies can avoid that misstep.
Zero Trust Tip 1: Integrate what you’ve got
In some ways, zero trust is a renewal of the idea of defense in depth, which Harris defined as “how do we get the right telemetry at the right point of the architecture to make the right intelligent decisions.”
Typically, agencies have elements of in-depth cybersecurity in place, and they simply need to integrate the elements, he advised.
For example, an agency may have an endpoint protection agent on all employee notebook PCs or smartphones. By integrating the endpoint software with an existing identity, credential and access management system, an agency can more easily lock out unmanaged or unauthorized devices from agency applications and data, Harris said.
“So really, the spirit of zero trust is getting the right, confident data signal into all those various parts of the architecture,” he said. “No one single vendor can do it by themselves.”
Zero Trust Tip 2: Gain observability
But merely connecting cybersecurity tools won’t get an agency to full zero trust capabilities, he said.
Agencies also need to have end-to-end visibility and regularly validate their cyber posture, Harris advised.
“Now we’re looking at more dynamic control, doing point-in-time inspections,” he said. “We’re looking at doing continuous inspections at various parts of the architecture.”
Harris listed several questions for tech staffs to ask themselves when fashioning a zero trust architecture and determining what they need to continuously monitor.
“Do I trust Andrew who’s logging onto that machine? Do I trust that machine that he’s logging into, at that point in time? Do I trust that device authenticating against that other service over there storing that data? Is that device even secure in and of itself?”
He noted that “those are all things that historically we’ve not been able to do as an industry until zero trust.”
Zero Trust Tip 3: Focus on outcomes
Agencies also must focus on the outcomes of zero trust, Harris said.
“If you have all these enforcement points, if you have all these decision points in your architecture, you can start doing really smart things,” he said.
For example, an agency now has developed an insider threat program. “You increase your ability to identify adversaries in your environment who are masquerading as one of your highly privileged accounts,” he said.
Zero Trust Tip 4: Implement holistically
Whichever controls and capabilities an organization adds for zero trust, it must add them comprehensively, Harris recommended.
“One of the other big missteps that we’ve seen agencies make is applying the principles of zero trust to only part of their ecosystem,” Harris said.
Agency environments consist of multiple subecosystems, so continued uncompromised operation depends on ensuring zero trust relationships among them. Any assumed trust relationships create the potential for vulnerabilities.
“If you compromise one of those because of that trust relationship, it has a downward downstream impact on all the ecosystems,” Harris said. “So when you apply zero trust principles, you really need to have a holistic approach.”