With the migration to zero trust security architectures is in full swing in the Federal government, top agency technology executives shared their experience with effective strategies and technologies they have implemented thus far during an April 25 webinar organized by Federal News Network.
The zero trust concept has been around for many years, but has become a household word in security circles since President Biden’s 2021 executive order number 14028 that directed agencies to begin migrating toward the new standard.
While they weren’t yet calling it “zero trust,” agencies like the Central Intelligence Agency (CIA) were already working on key tenets before the 2021 executive order.
Terms like “least privilege access, network segmentation, robust audit and monitoring, and secure identity management have all been foundational to how [the CIA] delivers IT services to a very complex and agile global set of requirements,” said Ryon Klotz, deputy chief information officer (CIO) at CIA.
The CIA has made significant progress in its zero trust migration by bringing together elements of its IT enterprise under the CIO, the chief data officer, and the chief information security officer (CISO) to reside together under the digital director at the Directorate of Digital Innovation.
“That cohesive organizational leadership and prioritization approach has allowed us to put a lot of focus on many of the elements of our zero trust architecture,” said Klotz.
For the Department of Health and Human Services (HHS), implementing a zero trust architecture has been a challenge particularly because “HHS components vary in size, maturity, architecture, and mission,” said La Monte Yarborough, CISO at HHS.
“We’re at various levels due to our complexity and our levels of maturity concerning our zero trust network architectures,” he said.
Yarborough said that an effective strategy implemented by HHS to move forward with zero trust was the formation of a zero trust working group with representation from each element within HHS to share successes and challenges and identify opportunities where different areas of the department can address shared requirements together.
“[Our working group] has conducted gap assessments to identify priority areas and the department is working this year to assess baseline progress against our implementation plans to support future initiatives most effectively,” Yarborough said.
Similarly, the Transportation Security Administration (TSA) has taken steps toward implementing a zero trust architecture, but the agency still have a long way to go, according to John Samios, the chief system security officer at TSA.
One of the routes TSA has taken to move forward with zero trust is the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) Program, which delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture.
For example, the CDM Program has helped TSA “with authentication by having already pre-defined and set up a credential management and privilege management,” Samios said.
Samios said there are several areas that TSA needs to continue to work on. One of those, he said, is network segmentation. TSA needs to get rid of flat networks anywhere they may exist and segment things “so that we can better control and contain things,” Samios said.
Another area TSA is continuing to work on is data tracking, which has been an ongoing challenge for the agency as it works to implement a zero trust architecture.
“Encrypting data is one thing, but to be able to tag it correctly and put it into three buckets and for the access controls is always a big challenge,” Samios said. “We’re working with teams to identify what we need to do to find what it means to be successful.”
According to industry experts, implementing emerging technologies could certainly help Federal agencies implement zero trust security, but it should not be the go-to solution.
“Technology is going to change, and the things that we put in place today that we think we’re going to have 100 percent secure identity is going to suddenly not be as secure tomorrow,” said Gary Barlet, Federal chief technology officer at Illumio.
Federal agencies need to pivot their focus to looking at the pillars of a zero trust architecture in a more holistic view, prepare for inevitable breaches, and build cybersecurity into workforce training, he added.