This January, believe it or not, it will be two years since the Office of Management and Budget released its zero trust strategy. Agencies continue down the path of meeting the 19 actions outlined in that strategy. The journey is one that may have a destination, but may never truly end as cyber threats continue to evolve.
Agencies will continue to face new threats and therefore need a continuous effort to improve.
OMB is helping agencies face those threats and complete key stops along their zero trust journey by asking for $5.5 billion in fiscal 2024 from Congress for zero trust capabilities alone.
At the same time, OMB and agency leaders are meeting at the senior executive levels to continue to give this initiative the focus and accountability needed to change the way agencies implement cybersecurity.
Herb Kelsey, the Project Fort Zero Team Leader at Dell Technologies, said agencies must understand the technical side of the zero trust equation and ensure their tools and capabilities integrate to meet the zero trust requirements.
“I think the technical discussions are happening across the zero trust spectrum. People really are picking the low hanging fruit where they can start and where they’ve made progress before. I think the real trick is whether that’s enough to be able to thwart the enemy,” Kelsey said on Innovation in Governmentsponsored by Carahsoft. “For us, zero trust is meeting the standard that the Defense Department has put forward, which they’re going to judge our solution against. In their determination, that’s what it takes to defeat the adversary. The concern that I would have with people starting somewhere like identity management, and not working on the other pillars of zero trust in parallel, is that all they’re doing is pushing the adversary to an area that they’re not focused on right now. So if you take care of the identity management piece, but you don’t take care of the device management piece, that’s a problem. If you don’t do all the logging that’s required, that’s just another gap that the adversaries can exploit. So the conversations that I have with agencies, whether it’s in the U.S. or around the world, is you really need to look at building across all of those pillars in order to be successful.”
Retrofitting doesn’t work well
He said one way to work across all zero trust pillars is to rely on integrated tools that can bring together disparate technologies and handle the security policy requirements.
Too often agencies are finding that they struggle with zero trust because they have too many products that must fit together, and retrofitting their current environment into the new architecture can be more complex and require more effort than they can handle.
Kelsey said removing that integration burden will lead to a quick series of successes around zero trust.
“What’s important for them to understand is that the cost and the operational impact of trying to retrofit to the standard that DoD put forward is cost prohibitive, and it’s time prohibitive. Even as the DoD put out its architecture, the idea of retrofitting existing environment was their first course of action. But they came up with two other courses of the action because the first one was going to take too long and spend too much money,” he said. “The second course of action was to try and get zero trust fit into a cloud architecture. The third was to create private clouds that already were advanced in zero trust capabilities. Those are the progression of options.”
Kelsey said there are challenges with the first one from operational and cost standpoints. He said there are even some challenges in the cloud implementations as agencies start looking at all of the logging that they want to do.
Automation, AI reduces burdens
“The concern about retrofitting is that yes, you believe you’ve already got the zero trust components in place, but I would challenge that those have not been validated by an independent third party. We live in this environment of multiple vendors, and each one having a component of zero trust, and saying that they complete the obligation that DoD wants you to meet. But it has to be validated by a third party,” he said. “It’s getting validated by a DoD red team that says, ‘We agree that this solution [helps] meet either the 91 target activities for zero trust or the 152 advanced activities for zero trust.’ That’s what’s written into the architecture specification, and that’s what we’re going to meet by reducing the integration burden on our customers.”
As part of reducing the integration and implementation burdens, agencies must take advantage of automation and look at emerging artificial intelligence capabilities.
Kelsey said the shared security model with industry partners and large cloud providers will help bring these tools to bear more quickly and protect your network and data.
“It’s a challenge to get all of that telemetry data and logging data, and combine it together. I think that has to be understood and worked on. That may mean maybe changing the business model. I think that’s one where a lot of agencies haven’t really come to grips with what that means,” he said. “Our understanding is zero trust has a destination, which is to meet an objective standard as laid out by DoD. It is absolutely about protecting the data. It’s about achieving outcomes. I think that we have an opportunity to do a much better job of protecting data within our infrastructure because we have a defined set of practices to follow. I believe we’ll have better outcomes if we create solutions that allow organizations to focus on the policy side and focus on the process side, and not have to focus so much on the technology and the integration, and the integration burden. I think that’s a better situation for the majority of our customers, as we’ve discussed with them.”