Tom Temin: Zero trust — just briefly reintroduce us to what this is because it seems like half the industry is talking about it these days.
Laura Criste: Sure. So zero trust is a framework that moves away from allowing, or once the user is allowed into the network, then they’re granted trusts. So that’s what the government has been doing and has been trying to move away from, and that’s called perimeter security. But zero trust wouldn’t grant trust to the user once they’re inside the network. It continues to verify their identity and make sure that they’re allowed access to different resources once they’re into the network, so it assumes no trust and grants trust periodically as needed.
Tom Temin: It’s not really a product. You can’t buy zero trust like you used to buy a disc with Lotus 1-2-3 or something. I’m dating myself. And so is there money behind it?
Laura Criste: Yeah, that’s a good question. So one of the things that I wanted to look at was what this would look like moving forward. So the federal government has a lot of the technologies that would go into zero trust, like continuous diagnostics and mitigation. At least they’re working on it. So it’s not completely implemented throughout the federal government. And that’s one thing that they’ll need to do in order to kind of complete there’s zero trust framework, but they still have work to do. So even though they have the technologies, they need to integrate them, they need to use them in a way that implements the zero trust framework. And then they’ll probably still need some technology, I wouldn’t expect that they have every single piece that they need. So what I would expect moving forward with spending is that agencies will buy some more modern technologies and replace some of those legacy systems. And then they’ll need contractors that can help integrate those systems, and who are experts in those different types of technologies. I do think that there will be money there.
Tom Temin: With respect to how far it has penetrated the federal government, versus say, large organizations in the private sector networks, is the private sector ahead of the government in having this architecture in place?
Laura Criste: Yes. NIST put out their new zero trust architecture just a couple of days ago, a final version of it. It’s guidance for implementing zero trust across agencies. And in that they say that the federal government has been issued guidance to work on implementing a zero trust framework for the last decade. And I actually was speaking with my husband about this because he works in it. And he was saying, hasn’t the private sector been doing this for a really long time? And my understanding is yes, and the federal government has been starting to implement this, but like with many modern technologies were modern-ish, the federal government is a bit behind. They are trying to address it and kind of make those changes to get on the same page as the private sector.
Tom Temin: With all of this remote teleworking and the pandemic situation, has that accelerated do you think federal interest in the zero trust model?
Laura Criste: I do. And I also think it’s possible that agencies are using money from the CARES Act to help implement it. So I think not only has telework pushed it forward because agencies need to address some of those cybersecurity issues. It’s also allowed them to have more money to actually address some of the things that they’ve been wanting to in the past.
Tom Temin: Got it. So it sounds like the spending then is a combination of services to redo the network and program it and so on. A little bit on tools that you might need that you that you don’t have in place to begin with that you would need to complete with whatever it takes to to have it.
Laura Criste: I would expect so. Based on the FITARA scorecard, it seems like agencies still have a lot of different pieces to address as far as IT modernization. So I don’t know for sure that all of those pieces align with zero trust, but I know that they’re still addressing cybersecurity issues, and I expect that zero trust is part of that, so getting that extra money from the CARES Act, and hopefully in the next budget will mean more money going toward this type of thing.
Tom Temin: Yes, because a big related issue with all the pandemic and the remote working and the zero trust is the heavy use of virtual private networks, which a lot of agencies are trying to get past because it can be expensive, and they have better security ways of letting people into the networks remotely. So does that all tie in also, maybe the desire to get past the VPN model, which is a little long in tooth I guess?
Laura Criste: Absolutely. It’s funny that you mentioned that because I know that there were a lot of issues with VPNs when people started teleworking more because they just weren’t really doing that. So not only do they need to address the old security issues that they would have had, now they’re trying to incorporate zero trust and to make sure that not only do people have secure access to the network, but they also have secure access to all the resources they need within the network. And I think the other piece of this is that agencies have been really pushing the move to the cloud. I think that was the big reason that NIST and other guidance have pushed agencies to adopt a zero trust framework, because all of the resources aren’t sitting on the networks like they used to. It’s the cloud and the telework piece I think that are really pushing agencies to have.
Tom Temin: Sure, good point. And in your report, you mentioned that since 2017, according to Bloomberg Government search, only $500,000 has been spent by agencies on zero trust. So if I’m a contractor, and I’ve got this really great cybersecurity practice, is there an opportunity ahead because a half a million dollars is, frankly, in government IT contracting is send us a bunch of printers?
Laura Criste: Yeah. So I think that the number there is just for looking at things that specifically mentioned zero trust. So that could be because agencies don’t specifically cite that they are adopting a zero trust framework. And I think that gets more to more of the integration and more of the kind of guidance that they would need from contractors to help them implement zero trust and make sure that that framework is kind of in place. And it gets less to things like continuous diagnostics and mitigation, because CDM obviously, or as you probably know, and many of the listeners probably know, has given contractors many more than $500,000. So all of the component pieces of zero trust are going to have billions of dollars associated with them, but actually trying to get contractors to come help guide agencies in implementing zero trust hasn’t got a lot of money and I think that’s where there’s a big opportunity.