It’s been building for a while, the move to implement an architecture known as zero trust in agency information technology networks. Now the Biden administration has specifically called for it in a recent cybersecurity executive order. Federal Drive with Tom Temin discussed what zero trust actually is and the effect it will have on IT spending patterns with Forrester Research security and risk analyst Steve Turner.
Insight by Carahsoft: Learn about the major efforts going on across government to not only secure the technology supply chain, but have a long-lasting impact on all users of technology by downloading this exclusive e-book.
Tom Temin: Steve, good to have you on.
Steve Turner: Yeah, pleasure to be here, Tom.
Tom Temin: And let’s begin at the beginning, you and I know all about risk management, but maybe the average listener does not, so just briefly review what the heck it is.
Steve Turner: Yeah, so risk management is all about figuring out what at the end of the day your organization’s willing to accept in order to do business. And specifically in the federal sector, it’s all about them accepting what risks are going to allow them to proceed forward with the different missions and objectives that are set out with them within reason.
Tom Temin: Alright, so in a zero trust IT setup then, what does that mean for a network?
Steve Turner: Here at Forrester, the kind of the succinct definition that we have for zero trust is that it’s a security model that only grants access to a resource through continuous verification and enforcement that a session is secure, authenticated and authorized. So super succinctly that means that we never trust but always verify who or what is kind of accessing something at the end of the day.
Tom Temin: Even the most trustworthy inside users then go through that same scheme.
Steve Turner: Absolutely. Because we’ve kind of understood throughout time, and especially extremely recently, that we can’t trust what’s on the inside or the outside. So at the end of the day, we can’t trust anything. And we need to build up that trust over time, verifying somebody is who they say they are, because with all the breaches that have been happening out there, it’s needed. The old model of doing things doesn’t work as kind of evidenced by what the Biden administration is going to put out there.
Tom Temin: Now, many agencies have already been stating that they have been working on zero trust for a few years now. So this order kind of backfills what has been going on in some sense. And what we hear over and over is zero trust is not a product you buy like a cybersecurity tool, but an approach. So looking at the spending patterns in cyber, what does Forrester find that the executive order could change in the expected spending otherwise?
Steve Turner: Yeah. So this is something that we’re actually doing a lot of active research on now. But historically, a lot of larger organizations in the private sector when they’ve implemented a zero trust approach, have actually seen their spending either stay flat, because they’re utilizing a lot of the existing tools that they have today in order to implement it. Or they’ve actually seen cost reductions in a lot of the tools that they’re using, because they’ve consolidated a lot of technologies and tools that they’re utilizing in order to get to zero trust. The important thing that I want to point out, though, is kind of that initial ramp up, because a lot of organizations as well as the federal government, utilizes consultants or other experts within the industry to kind of get that launch point kind of going. And then after that launch point, I fully expect that over time, through the consolidation of different technologies and tools that the spending is, I wouldn’t say that we’re expecting a significant increase in a lot of organizations, especially like in the public sector.
Tom Temin: We were speaking with Steve Turner, he’s a security and risk analyst at Forrester Research. And looking at the private sector, specifically, what have you seen in patterns there with regard to how zero trust and some of these related technologies affect their spending patterns? You’ve seen that reduction?
Steve Turner: Yeah, so in the private sector, for the larger organizations, we’ve seen that it’s either staying flat or a reduction in spend for tools and technologies. Now, when we’re talking about kind of that middle sector, like those small and medium businesses and everything like that, we typically see an increase in spend, because they don’t have the capabilities, or they don’t have the tools and technologies to get the visibility and to do the enforcement that we care about when we talk about implementing zero trust. So it’s definitely large organizations over time have just built up this large portfolio of tools that does a lot of similar or the same things, so they have a lot of opportunity for consolidation. And we’re expecting to see the same thing in the federal government, because some of our previous research is kind of unearthed that there’s tons of kind of like, lots of tool build up throughout the government, and they’re only using maybe 20 or 30% of the features within each of those tools. So they’re spending exorbitant amounts of money on a tool that they’re not even fully utilizing.
Tom Temin: And in the case of small or independent federal agencies, they don’t have to go it alone because they have the Cybersecurity and Infrastructure Security Agency that offers tools and they have other big brother types of agencies that they can glom on to so they don’t have to be like a small independent business that’s out on its own.
Steve Turner: I mean, the great thing, especially with the executive order, and with CISA kind of getting more and more integrated into what the different agencies are doing, it allows all of those folks not to go at it alone, and allows them to have that almost consulting like arm to be able to help them along their journey and potentially utilize those existing resources that sit there. So I for one am excited because I think CISA is finally front and center, and they’re the central kind of cybersecurity organization for the federal government. I’m hoping that that bleeds more into the national security agencies as well, but time will tell there.
Tom Temin: Sure. And looking at the executive order and it’s mention of zero trust, what do you see as what the government needs to do next? And if someone is still a beginner in zero trust, what do they have to do?
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Steve Turner: Looking at the executive order, and we put out a blog post kind of around this, but the executive order kind of read more like a laundry list of different technologies and tools, right. They call out building reference architectures within each of the different agencies and putting that forth and getting reviewed. I’m hoping that the next thing that’s kind of coming with the executive order is the budget and the actual resources to implement all of this, because I have a feeling that at the end of the day, with the really tight deadlines that are in the executive order, they’re only going to be able to accomplish so much. And so I think a lot of agencies are going to ask for extensions in order to meet the requirements within the executive order. But I think at the end of the day, kind of getting an assessment of where they are at with all the different tools and technologies that they have. And then understanding how that fits into the reference architecture that they’re building is so incredibly key. And I’m hoping that that’s what kind of comes out of the results of what this executive order has kind of put forth.
Tom Temin: And that exercise then could reveal or surface a lot of tools and products and maybe services that they’re not using, that they could just get rid of and save some money right off the bat.
Steve Turner: Absolutely. Either it could go in that direction, or they can lean more heavily into a tool that maybe accomplishes a lot of the gaps or capabilities that they need to get to zero trust without having to buy something that at the end of the day, you said it before Tom, and we’ve advocated it so heavily, you can’t buy zero trust. So you need the people and the processes to kind of change with this totally new way of doing things. And then back into the technology to enable all of that.
Tom Temin: Could some updates to the network technology itself, such as envisioned in the EIS contract from the General Services Administration — could those further the ability to get zero trust? Because you’ve got a more modern network to begin with, your topology is all new.
Steve Turner: Yeah, I think that’s a really important point to make. I mean, there’s been so much kind of happening in the background before the executive order that’s kind of made or laid the groundwork for this executive order, you could kind of say, finally, let’s go towards zero trust. Like you mentioned earlier, Tom, there are a lot of agencies that are already proceeding towards zero trust. And this just kind of helped give them the reinforcement and the backing and the foundation to be able to ask for more resources, more budget, as well as lean into other monetization projects that are kind of going on already. Something that is really interesting that I don’t think a lot of people realize that there was one call out in the executive order around putting EDR, the ability to have visibility kind of across agencies and do centralized threat hunting. But earlier in one of the defense bills that was passed, not too long ago, CISA was given the authority to do centralized threat hunting across all of these agencies. So again, just laying that groundwork over time, and then finally just calling out what kind of needs to be done. I think that’s going to be a continuous thing that we see before. More and more kind of legislation gets passed, to just kind of put it out there that saying that this is what we want to do, but they’ve already laid the groundwork for that tap in.
Tom Temin: Steve Turner is a security and risk analyst at Forrester Research. Thanks so much for joining me.
Steve Turner: Absolutely Tom, thank you so much for having me.