RSA - Federal News Network

Listen Live

Cyber security data protection business technology privacy concept.

Federal Insights

Zero Trust Cyber Exchange: RSA’s Steve Schmalz on thinking beyond identity, addressing privilege
Insight by RSA

To get beyond zero trust’s identity focus, turn to the guidance and existing programs the government has already established — like NIST’s SP 800-207 and GSA’s FedRAMP, suggests RSA’s Steve Schmalz at the Zero Trust Cyber Exchange.

Innovation in Government

Protecting the supply chain to promote operational resiliency
FedInsights by RSA Archer

Innovation in Government

Leaders in Innovation: Identity and Access Management
FedInsights by RSA

Federal Insights

The ‘new normal’ is a challenge for network and security staffs
Insight by RSA

Innovation in Government

Exclusive Agency leaders should turn to a digital risk management approach
FedInsights by RSA

Federal Insights

Insight by RSA and Carahsoft Visibility, early detection critical to breach prevention, mitigation

Federal Insights

Lawrence Reed: Time to get real about mobile devices

Chad Sheridan thumbnail

Federal Insights

USDA’s Chad Sheridan: Interagency cooperation can yield better cloud application security

Peter Tran thumbnail

Federal Insights

RSA’s Tran: Agencies must speed up the detection-response cycle

Peter Schawacker thumbnail

Federal Insights

Optiv’s Schawacker says automation must be future of continuous monitoring

Computer crime concept

Federal Insights

Federal Identity Governance

Advanced Cyber Monitoring

Federal Insights

Advanced Cyber Monitoring

RSA Optiv Barry White thumbnail

Federal Insights

Homeland Security’s Barry West: Collaboration leads to better situational awareness

Jim Dalkin thumbnail

Federal Insights

The future of risk management

Ilanko thumnail

Federal Insights

The relationship between governance, risk and compliance

Jason Malmstrom thumbnail2

Federal Insights

Developing risk culture

David Walter thumbnail

Federal Insights

The evolution of GRC best practices

Finger Pointing At Cloud Access In Social Network

Federal Insights

Governance, Risk and Compliance

[fi_media type='video' pid='4113174' mid='0']

Agencies face clear mandates from the Biden administration to make zero trust a priority, but some still might not know where to begin with implementation. That’s OK because the government has some good foundational materials, offered Steve Schmalz, field chief technology officer for federal at <a href="https://www.carahsoft.com/rsa">RSA</a>.

Every agency’s zero trust adoption will vary in the particulars, but Schmalz said the National Institute of Standards and Technology’s SP 800-207 on zero trust architectures serves as a foundational guide for achieving the directives in the president’s executive order.

In fact, RSA uses <a href="https://csrc.nist.gov/publications/detail/sp/800-207/final">NIST SP 800-207</a> as a guide to help its customers meet their zero trust goals, Schmalz said during Federal News Network’s <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong><em>Zero Trust Cyber Exchange</em></strong></a>.

“It very quickly gets to the core of what zero trust means when you’re implementing zero trust. It means that the place where you make those decisions about who gets access to what, where you make those policy decisions, needs to be as close to the resource as possible,” he said.
<h3>There is no zero trust checklist</h3>
While NIST SP 800-207 serves as a common foundation for agencies to develop a zero trust strategy, Schmalz said each journey to implement these new cyber objectives will look different.

“Sometimes we fall into the trap of thinking one size fits all. And if you’re looking at a zero trust environment, it may be that in certain situations, getting access to some legacy resource, you just don’t have all the options for authentication. You need to be flexible and you need to use something that fits that particular environment,” he said.

A successful zero trust framework ensures networks provide the right access to the right people, while also maximizing security by providing insight into anomalous activity, Schmalz said.

“You need to be able to monitor that network. You need to be able to take quick actions if you see anything going wrong,” he said. “It doesn’t really matter how well you authenticate an individual if that individual gets access to something they shouldn’t have access to. You have to make sure that in the back end, you make sure to decide who should have access to what. You put the governance around determining what people are seeing what they should see.”
<h3>There’s also no singular technology approach</h3>
Agencies need to have the right technology infrastructure in place to make zero trust a reality too. Schmalz said that cloud services can offload a lot the work organizations have to do to keep their authentication and access management infrastructure up and running.

“A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users but for the people doing that administration,” he said. “That allows the security people to do the job they should be doing, which is to make decisions on what authentication should be used in what situation, to monitor the networks, to put that identity governance in place. The cloud is extremely important, as long as the cloud is implemented in a way that meets the organization’s security posture.”

The governments, cloud security authorization process — Federal Risk and Authorization Management Program (FedRAMP) — enables agencies to buy cloud services from a marketplace of trusted solutions.

“FedRAMP was built for this very situation. It basically says, ‘Look, if we’re going to have these service providers providing functionality to agencies, we need to find a way to make sure that the cloud security posture matches the FISMA posture for that government agency,’ ” Schmalz said.

<em>To listen to and watch all the sessions from the 2022 Federal News Network <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong>Zero Trust Cyber Exchange</strong></a>, go to the <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/">event page</a></em><em>.</em>

Federal Insights

Managing risk by examining data

Tim screenshot

Federal Insights

The practicalities of cybersecurity threat intelligence

[fi_media type='video' pid='4113174' mid='0']

Agencies face clear mandates from the Biden administration to make zero trust a priority, but some still might not know where to begin with implementation. That’s OK because the government has some good foundational materials, offered Steve Schmalz, field chief technology officer for federal at <a href="https://www.carahsoft.com/rsa">RSA</a>.

Every agency’s zero trust adoption will vary in the particulars, but Schmalz said the National Institute of Standards and Technology’s SP 800-207 on zero trust architectures serves as a foundational guide for achieving the directives in the president’s executive order.

In fact, RSA uses <a href="https://csrc.nist.gov/publications/detail/sp/800-207/final">NIST SP 800-207</a> as a guide to help its customers meet their zero trust goals, Schmalz said during Federal News Network’s <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong><em>Zero Trust Cyber Exchange</em></strong></a>.

“It very quickly gets to the core of what zero trust means when you’re implementing zero trust. It means that the place where you make those decisions about who gets access to what, where you make those policy decisions, needs to be as close to the resource as possible,” he said.
<h3>There is no zero trust checklist</h3>
While NIST SP 800-207 serves as a common foundation for agencies to develop a zero trust strategy, Schmalz said each journey to implement these new cyber objectives will look different.

“Sometimes we fall into the trap of thinking one size fits all. And if you’re looking at a zero trust environment, it may be that in certain situations, getting access to some legacy resource, you just don’t have all the options for authentication. You need to be flexible and you need to use something that fits that particular environment,” he said.

A successful zero trust framework ensures networks provide the right access to the right people, while also maximizing security by providing insight into anomalous activity, Schmalz said.

“You need to be able to monitor that network. You need to be able to take quick actions if you see anything going wrong,” he said. “It doesn’t really matter how well you authenticate an individual if that individual gets access to something they shouldn’t have access to. You have to make sure that in the back end, you make sure to decide who should have access to what. You put the governance around determining what people are seeing what they should see.”
<h3>There’s also no singular technology approach</h3>
Agencies need to have the right technology infrastructure in place to make zero trust a reality too. Schmalz said that cloud services can offload a lot the work organizations have to do to keep their authentication and access management infrastructure up and running.

“A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users but for the people doing that administration,” he said. “That allows the security people to do the job they should be doing, which is to make decisions on what authentication should be used in what situation, to monitor the networks, to put that identity governance in place. The cloud is extremely important, as long as the cloud is implemented in a way that meets the organization’s security posture.”

The governments, cloud security authorization process — Federal Risk and Authorization Management Program (FedRAMP) — enables agencies to buy cloud services from a marketplace of trusted solutions.

“FedRAMP was built for this very situation. It basically says, ‘Look, if we’re going to have these service providers providing functionality to agencies, we need to find a way to make sure that the cloud security posture matches the FISMA posture for that government agency,’ ” Schmalz said.

<em>To listen to and watch all the sessions from the 2022 Federal News Network <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong>Zero Trust Cyber Exchange</strong></a>, go to the <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/">event page</a></em><em>.</em>

Federal Insights

In Focus: Cybersecurity priorities and cultivating talent

[fi_media type='video' pid='4113174' mid='0']

Agencies face clear mandates from the Biden administration to make zero trust a priority, but some still might not know where to begin with implementation. That’s OK because the government has some good foundational materials, offered Steve Schmalz, field chief technology officer for federal at <a href="https://www.carahsoft.com/rsa">RSA</a>.

Every agency’s zero trust adoption will vary in the particulars, but Schmalz said the National Institute of Standards and Technology’s SP 800-207 on zero trust architectures serves as a foundational guide for achieving the directives in the president’s executive order.

In fact, RSA uses <a href="https://csrc.nist.gov/publications/detail/sp/800-207/final">NIST SP 800-207</a> as a guide to help its customers meet their zero trust goals, Schmalz said during Federal News Network’s <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong><em>Zero Trust Cyber Exchange</em></strong></a>.

“It very quickly gets to the core of what zero trust means when you’re implementing zero trust. It means that the place where you make those decisions about who gets access to what, where you make those policy decisions, needs to be as close to the resource as possible,” he said.
<h3>There is no zero trust checklist</h3>
While NIST SP 800-207 serves as a common foundation for agencies to develop a zero trust strategy, Schmalz said each journey to implement these new cyber objectives will look different.

“Sometimes we fall into the trap of thinking one size fits all. And if you’re looking at a zero trust environment, it may be that in certain situations, getting access to some legacy resource, you just don’t have all the options for authentication. You need to be flexible and you need to use something that fits that particular environment,” he said.

A successful zero trust framework ensures networks provide the right access to the right people, while also maximizing security by providing insight into anomalous activity, Schmalz said.

“You need to be able to monitor that network. You need to be able to take quick actions if you see anything going wrong,” he said. “It doesn’t really matter how well you authenticate an individual if that individual gets access to something they shouldn’t have access to. You have to make sure that in the back end, you make sure to decide who should have access to what. You put the governance around determining what people are seeing what they should see.”
<h3>There’s also no singular technology approach</h3>
Agencies need to have the right technology infrastructure in place to make zero trust a reality too. Schmalz said that cloud services can offload a lot the work organizations have to do to keep their authentication and access management infrastructure up and running.

“A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users but for the people doing that administration,” he said. “That allows the security people to do the job they should be doing, which is to make decisions on what authentication should be used in what situation, to monitor the networks, to put that identity governance in place. The cloud is extremely important, as long as the cloud is implemented in a way that meets the organization’s security posture.”

The governments, cloud security authorization process — Federal Risk and Authorization Management Program (FedRAMP) — enables agencies to buy cloud services from a marketplace of trusted solutions.

“FedRAMP was built for this very situation. It basically says, ‘Look, if we’re going to have these service providers providing functionality to agencies, we need to find a way to make sure that the cloud security posture matches the FISMA posture for that government agency,’ ” Schmalz said.

<em>To listen to and watch all the sessions from the 2022 Federal News Network <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong>Zero Trust Cyber Exchange</strong></a>, go to the <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/">event page</a></em><em>.</em>

Federal Insights

Cybersecurity Threat Intelligence

[fi_media type='video' pid='4113174' mid='0']

Agencies face clear mandates from the Biden administration to make zero trust a priority, but some still might not know where to begin with implementation. That’s OK because the government has some good foundational materials, offered Steve Schmalz, field chief technology officer for federal at <a href="https://www.carahsoft.com/rsa">RSA</a>.

Every agency’s zero trust adoption will vary in the particulars, but Schmalz said the National Institute of Standards and Technology’s SP 800-207 on zero trust architectures serves as a foundational guide for achieving the directives in the president’s executive order.

In fact, RSA uses <a href="https://csrc.nist.gov/publications/detail/sp/800-207/final">NIST SP 800-207</a> as a guide to help its customers meet their zero trust goals, Schmalz said during Federal News Network’s <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong><em>Zero Trust Cyber Exchange</em></strong></a>.

“It very quickly gets to the core of what zero trust means when you’re implementing zero trust. It means that the place where you make those decisions about who gets access to what, where you make those policy decisions, needs to be as close to the resource as possible,” he said.
<h3>There is no zero trust checklist</h3>
While NIST SP 800-207 serves as a common foundation for agencies to develop a zero trust strategy, Schmalz said each journey to implement these new cyber objectives will look different.

“Sometimes we fall into the trap of thinking one size fits all. And if you’re looking at a zero trust environment, it may be that in certain situations, getting access to some legacy resource, you just don’t have all the options for authentication. You need to be flexible and you need to use something that fits that particular environment,” he said.

A successful zero trust framework ensures networks provide the right access to the right people, while also maximizing security by providing insight into anomalous activity, Schmalz said.

“You need to be able to monitor that network. You need to be able to take quick actions if you see anything going wrong,” he said. “It doesn’t really matter how well you authenticate an individual if that individual gets access to something they shouldn’t have access to. You have to make sure that in the back end, you make sure to decide who should have access to what. You put the governance around determining what people are seeing what they should see.”
<h3>There’s also no singular technology approach</h3>
Agencies need to have the right technology infrastructure in place to make zero trust a reality too. Schmalz said that cloud services can offload a lot the work organizations have to do to keep their authentication and access management infrastructure up and running.

“A cloud service can keep the software up to date, can make sure it’s available, can make sure that you have that consistent interface, not only for the users but for the people doing that administration,” he said. “That allows the security people to do the job they should be doing, which is to make decisions on what authentication should be used in what situation, to monitor the networks, to put that identity governance in place. The cloud is extremely important, as long as the cloud is implemented in a way that meets the organization’s security posture.”

The governments, cloud security authorization process — Federal Risk and Authorization Management Program (FedRAMP) — enables agencies to buy cloud services from a marketplace of trusted solutions.

“FedRAMP was built for this very situation. It basically says, ‘Look, if we’re going to have these service providers providing functionality to agencies, we need to find a way to make sure that the cloud security posture matches the FISMA posture for that government agency,’ ” Schmalz said.

<em>To listen to and watch all the sessions from the 2022 Federal News Network <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/"><strong>Zero Trust Cyber Exchange</strong></a>, go to the <a href="https://federalnewsnetwork.com/federal-insights/2022/06/zero-trust-cyber-exchange-2022-sessions-on-demand/">event page</a></em><em>.</em>

Federal Insights

In Focus: Threat intelligence in the private and public sectors