Zero trust is the idea of trusting no one, no device and no application. It also requires authenticating and authorizing absolutely everyone independent of where they are and what device they have.
Vice President, U.S. Public Sector Sales, Akamai
Implementing Zero Trust
Zero trust also tends to eliminate massive complex equipment that is required in an intensive security architecture
Vice President, U.S. Public Sector Sales, Akamai
Federal Chief Information Officer Suzette Kent has mentioned several times over the last year about a new zero trust pilot kicking off sometime in the near future.
What it entails and how it will work, is unclear. But the growth of this concept of creating a network that trusts no one and requires every user to be authenticated is real.
The idea of zero trust networks dates back to concepts first detailed when public key infrastructures (PKI), common access cards (CACs) and personal identity verification (PIV) cards came into the federal market almost 20 years ago.
The whole idea was to have one authoritative source of an employee’s identity that is connected to specific roles and responsibilities when it comes to applications and data.
Zero trust now means a lot more than just identity. It’s a way to move perimeter defenses out to the edge or to the person versus just to the network.
With the ever-growing list of devices connected to your agency’s network, the emergence of operational technology (OT), not just information technology (IT) as a cyber threat, and wide acceptance of cloud computing, enabling a zero trust network is not only possible, but absolutely necessary.
Randy Wood, vice president of U.S. public sector sales for Akamai, said zero trust is not a new idea, but one that is about five years old. It promotes the simple concept that trust is not an attribute of location, and just because an employee is trusted inside perimeter, it doesn’t mean he or she should be granted access to all the information.
“We are operating under an outdated paradigm that the network and perimeter have traditionally defined the boundaries of security. But we know the way the government is working today in a cloud, hybrid and on-premise fashion, that model doesn’t work,” Wood said on the Innovation in Government show. “Zero trust is the idea of trusting no one, no device and no application. It also requires authenticating and authorizing absolutely everyone independent of where they are and what device they have.”
So with that in mind, Wood said agencies have to rethink how they architect systems and the importance of applications.
“Applications are the lifeblood of an organization so what comes to the surface in this new paradigm is authentication on an application-by-application basis, which is different than how we previously operated,” he said. “The first step is for agencies to admit that the way we have been doing cybersecurity is not the right way anymore. That will be a huge admission for anyone.”
Wood said it shouldn’t be too hard for any agency or organization to make that admission as threats continue to increase and breaches keep happening at an alarming rate.
He said as agencies move to the cloud adopting a zero trust architecture becomes easier because applications are not residing in a traditional data center. Wood said adding identity and access management tools is easier.
“Zero trust also tends to eliminate massive complex equipment that is required in an intensive security architecture,” Wood said. “And finally, the time to understand a breach is much less because the architecture can provide a lot more insights around tracking applications by user and what’s occurring throughout the entire security posture.”
Wood said for agencies who want to implement a zero trust framework, the first thing they should consider is getting a third-party assessment of their network and applications to determine how they currently match with the principles of zero trust.
“Second, as agencies create modern applications–, be mindful of web and cloud application development and minimize the amount of technical debt you create by not using a modern application approach,” he said. “And finally, target the low hanging fruit. Are there current web and cloud applications that can be migrated into a zero trust model?”
Wood said there are a lot of ways for agencies to create a pilot to test out the concepts of zero trust, while doing no harm. He said agencies must keep the user experience both top of mind and at a high quality otherwise adoption becomes too hard.
Akamai secures and delivers digital experiences for the world’s largest companies and government agencies. Our intelligent edge platform surrounds everything, from the enterprise to the cloud, keeping apps and experiences closer to users than anyone — and threats far away.
Randy Wood is Vice President, US Public Sector Sales at Akamai. In this role, Randy is responsible for customer advocacy, mission partnership and leading Akamai’s sales business within the US Public Sector (Federal and SLED) market. Prior to joining Akamai, Randy held several sales leadership positions at both Red Hat and F5 Networks, where he was the Vice President of Federal Sales for 4 years.
Randy has served in a variety of technical and direct sales leadership positions throughout his past 25 years in the IT industry. He spent nine years at Cisco Systems from 1996-2005, working in engineering, leadership and direct sales roles. In 2005, Randy left Cisco and spent two years at Symantec as Director of Sales for the Public Sector DoD /Intelligence team.
Prior to his return to Cisco in early 2010, Randy was VP of Sales for the US Public Sector at Informatica. He came to Informatica by way of acquisition of Agent Logic, an In-Q-Tel portfolio company, where he spent nearly three years as VP of Sales for the US enterprise market, leading the company’s explosive growth and leadership position in the emerging complex event processing market.
Randy has a Bachelors of Science in Mathematics from the Virginia Military Institute, and a Masters of Science in Management Information Systems/Information Technology from the George Washington University. A former officer in the United States Marine Corps, Randy is a veteran of Operation Desert Shield and Desert Storm.
Jason Miller is an executive editor and reporter with Federal News Network. As executive editor, Jason helps direct the news coverage of the station and works with reporters to ensure a broad range of coverage of federal technology, procurement, finance and human resource news.As a reporter, Jason focuses mainly on technology and procurement issues, including cybersecurity, e-government and acquisition policies and programs.