The move to zero trust for federal agencies and the private sector is transformational. But maybe not for the reasons most people think.
“We said it was transformational so therefore it has to be transformational,” said Hansang Bae, public sector chief technology officer for Zscaler U.S. Government Solutions.
People get hung up on the notion of their end security being transformational, but creating a new practical approach to tackling cybersecurity in practice is what’s most compelling, Bae said during Federal News Network’s Cyber Leaders Exchange 2023.
And for many agencies, he said, it’s easy to get stymied right away when trying to assess their current infrastructures.
“When you have a sprawling user base all over the world, when you have sprawling applications all with people coming and going, architects of that application come and go, and people forget about dependencies of the applications and systems,” Bae said. “They are trying to figure out the landscape of what they have, and it actually turns out to be pretty hard to do. These are some of the stumbling blocks, and the bigger you are, of course, the more stumbling blocks you have.”
Less hands-on physical work to be more secure
Plus, the need to change mindsets can create friction because IT and security leadership is stuck trying to apply their old cyber processes to the zero trust framework, he said.
An example? The belief that a chief information security officer or chief information officer still needs to rack and stack equipment and modify routing to steer traffic one way or another.
“A lot of vendors are cloud-first, so you don’t need to make infrastructure changes. The usual bottlenecks of adopting traffic infrastructure changes go away,” he said.
“If you’re location-independent, if you’re network-independent and you’re device-independent, think how fast you can roll zero trust out. But this is, again, something new, so people still plan the old way. And therein lies the friction — it’s artificial friction — because the expectation that all these changes that most people are used to will still rule today.”
Don’t fear rolling out zero trust pilots
One way to reduce that friction and also move on from the old ways of implementing cyber controls is by first understanding the agency’s current environment and, second, starting small with pilots around different zero trust capabilities, Bae recommended.
He offered another example.
“We can get a landscape of you having 80,000 users using this application day by day, and that application is made up of 16 servers. And by the way, it has two legacy authentication methods that maybe no one knew about,” Bae said. “We can actually sit back and watch to see what it is we’re up against and then make recommendations.
“We can tell you, this is the least used application, and it’s a bespoke thing. You have two choices because it’s least used: That could be that it’s the first to adopt this new zero trust because the impact is low. Or the other way of thinking about this is: Remember, our adversary gets a vote too. They are not going to sit back and say, ‘Oh, take your time, when you’re ready. I’ll continue my attack.’ So the other school of thought is because the technology is rather mature, it’s pretty frictionless to adopt, why don’t we go for the biggest bang for the buck, and you can still start out slow.”
The idea then becomes to roll out capabilities, test them and then expand more broadly across a critical mission application.
“Even if you pick the wrong system that’s difficult to apply zero trust to, it’s OK, because it should be a frictionless installation and, for the most part, it’s easy to unravel and pivot,” he said.
Think of this way, Bae pointed out: “You don’t have 18 racks of things that you have to decommission and don’t have change control or have to instantiate the infrastructure. For that reason, don’t be afraid to try things out. In fact, you can try out three or four different solutions at the same time with different populaces and pick the one you like. My advice is to get going. The technology is mature enough.”