Cyber Leaders Exchange 2023: Fortinet Federal’s Bill Lemons on hybrid cloud–zero trust conundrum

When it comes to zero trust, “the agencies that have been highly successful have been the ones that have been able to truly embrace the cloud,” points out Fortinet Federal’s Bill Lemons.

After all, “we all realize that the cloud itself has a lot of inherent flexibility and ease of supporting change,” which are both key ingredients of successful zero trust implementation, added the director of solutions architecture at Fortinet Federal.

But there’s a rub: Depending on their missions and the types of data they manage, not all agencies can — or, for the foreseeable future, will be able to — move everything to the cloud, said Lemons during Federal News Network’s Cyber Leaders Exchange 2023.

“Where there is a hybrid approach to doing these types of things, that’s where the challenges start to present themselves,” Lemons said. “Not that they can’t be overcome. It just takes a bit more planning, a lot more coordination and an understanding of the tools on both sides of the coin — the ones that support the private environment as well as the tools that support the public infrastructure.”

Meanwhile, agencies also must work toward the Office of Management and Budget mandate that they achieve some level of a zero trust architecture by the end of fiscal 2024.

Lemons offered two goals that agencies should strive toward to address the challenges of achieving zero trust in hybrid, multicloud environments.

Zero trust adoption Goal 1: Embrace adaptability and automation

A key cross-cutting functionality in the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model is the use of automation and orchestration.

No matter their environment, whether it be cloud-based or hybrid, Lemons said agencies will need to ensure they have ability to “adapt the types of things that you consider when making a zero trust decision as to whether data should be accessed or not on an ongoing basis.”

To do that requires visibility, “whether that’s behavioral information, whether that’s telemetry associated with an endpoint, whether that’s an understanding of the network activities that are happening at a particular point in time,” he said. “When a user tries to access data, all of those elements need to be integrated and part of that decision-making process.”

Whether through the use of application programming interfaces or scripting functions, agencies will need to ensure they’re in a position to adopt automation and orchestration, Lemons advised.

“It’s making sure that that you continually enhance and modify that visibility and telemetry information to help with that zero trust decision and ensure that any automation that can support the clarity or better understanding of that telemetry can be leveraged as part of that solution.”

Zero trust adoption Goal 2: Lean into AI for cyber

Agencies are also starting to explore how to use artificial intelligence and machine learning to advance their cybersecurity capabilities. That process will rely on training AI models on data.

“A number of vendors have put a lot of energy, including ourselves, in trying to both leverage the knowledge that we’ve gained over time and trying to leverage those technologies to help with our own data ingestion and management and threat intelligence handling,” Lemons said.

Individual users are now more empowered to use AI due to recent advancements in large language models and the accessibility of generative AI applications like ChatGPT.

“The ability to not only put them in large compute farms but actually instantiate those capabilities in appliances and even virtual machines that are supportable within the infrastructure — all of that type of technology is really going to be key to the ongoing success and an extension of capabilities in the in the cyber landscape,” Lemons said.

For more cyber tips and tactics, visit the Federal News Network Cyber Leaders Exchange 2023 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.