Federal agencies have committed themselves wholeheartedly to zero trust, and are striving to achieve the vision set forth by cybersecurity and IT experts at the highest levels of the federal government. But they can’t do it without help, which is why GuidePoint Security is taking its Security Exchange Conferences (GPSEC) — previously hosted at and oriented toward the private sector — federal for the first time. GPSEC brings together cybersecurity, IT and zero trust experts from the public sectors in a collaborative environment to exchange information and further the goals of zero trust.
“We represent a uniqueness in zero trust because we get how things integrate. We have stood up at agencies zero trust designs with our services organization. We’ve done it in our lab for demos, for customers, for the community,” said Jean-Paul Bergeaux, chief technology officer for federal at GuidePoint Security. “And so for us, we understand the difficulties of doing the integrated, complete holistic design.”
Origins of zero trust
Zero trust as a concept has existed since long before the buzzword came into vogue. At its core, it seeks to address a problem that has plagued organizational IT shops and cybersecurity professionals for decades: siloes of teams. Security wasn’t brought in until the end of the development process, at which point cybersecurity solutions were bolted on as an afterthought, rather than integrated from the beginning. But the big shift that came with the rise of zero trust is that the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency have made clear in their guidance that zero trust is an IT design, not a cybersecurity design.
That clarification became eminently necessary when the pandemic began, when suddenly the majority of an agency’s endpoints were outside the network boundary, and their data was flowing back and forth. The architecture needed to be able to defend it all, and in a way that didn’t hinder employees from doing their jobs.
“It’s a core restructure, where it is part of the conversation from the beginning on how we design IT architecture. That’s critical to the success of federal agencies’ zero trust initiatives. We have to have that ground level conversation. That’s part of the reason why you’re seeing more chief information officers having zero trust as part of what they’re trying to do, rather than a security operations center lead or a chief information security officer,” Bergeaux said. “If the CIO owns zero trust, it becomes a holistic architecture, not a security architecture.”
And as for GuidePoint Security, before anyone ever said the words “zero trust,” they were doing essentially the same thing with their security architecture reviews (SARs). Those involved investigating a customer’s environment, identifying everything that touched on security that could be used, and developing a roadmap based on those results to get to a better security architecture, including short-, medium- and long-term milestones.
“So it wasn’t a hard adaptation because we were trying to achieve the same thing without some of the now more mature zero trust design documents that have been developed to help everyone achieve zero trust,” Bergeaux said. “We just had to add the compliance and especially the timelines. If there’s a timeline attached to an administrative mandate by 2026, agencies have to meet that requirement. So we hedged more towards meeting agency compliance demands, but we’re still doing the same thing GuidePoint commercial teams are delivering around zero trust. We’re taking whatever model applies — the Defense Department or CISA model — and doing the same deliverable. But we tend to lean in on what are your compliance requirements for that timeline.”
From regional to national
Until now, Bergeaux said, one of the reason GuidePoint Security’s conferences were held regionally is because certain industries tend to be concentrated that way: Certain regions might be financial services-oriented, home to medical companies, or potentially manufacturing. Each of those regions and industries have different kinds of data and operations that lend themselves to specific strategies.
Meanwhile, the federal government isn’t even limited by the borders of the United States; the departments of Defense and State, along with other agencies, have personnel and facilities overseas. And agency missions touch on all of those industries and more. That’s why GuidePoint Security decided, with the state of the federal government’s push toward zero trust architecture, that it was time to bring GPSEC, and the diversity of experience and expertise that comes with it, to the federal level.
Federal zero trust experts at GPSEC will include:
- Mark Stanley, enterprise cybersecurity architect and zero trust lead at NASA;
- Steve Pitcher, senior cyber survivability analyst for DoD’s Joint Staff J6;
- Stephen Kensinger, senior technical advisor for the Defense Intelligence Agency.
- Timothy Amerson, Deputy Chief Information Security Officer (CISO) for the Social Security Administration; and
- Chase Cunningham, cybersecurity and zero trust expert
“You’re going to hear from experts in zero trust, experts in cybersecurity across many different agencies, across all those different sectors,” Bergeaux said. “Those people who are living the life of deploying zero trust, living the life of trying to advance cybersecurity for the agencies, that’s who they are going to hear from in many of these different talks.”
This event is free for Government, SLED & FSI’s to attend.
For Industry: Only sponsoring technology vendors can attend.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.