Adopting and integrating zero trust principles into any cybersecurity strategy is far from simple, but the use of automation technologies can help greatly in that process, Federal officials said at ATARC’s Zero Trust Summit on November 17.
Ramesh Menon, chief technology officer for the Defense Intelligence Agency, said automation is important, particularly in DevSecOps processes.
“Some of these security requirements can be embedded into your agency’s DevSecOps processes. By automating these processes, developers who do not comply with any security requirement won’t even be able to put in an access code,” Menon said. Security cannot be an afterthought and ensuring that security is baked into everything developed puts it at the forefront, he emphasized.
André Mendes, CIO at the Department of Commerce, agreed with Menon, and added that built-in security eases worry for developer and helps to ensure secure and highly functional applications.
“A built-in security environment through automation allows developers to focus a large part of their time on functionality instead of security because that security is automated. It’s baked into the process,” Mendes said.
However, both officials agreed that before any implementation of security automation begins, agencies have to verify the software explicitly to make sure it fits into their zero trust principles and larger cybersecurity strategy.
“Agencies must be creative in this process to ensure they are always prepared and obtain and retain the needed talent. But they must make sure that whatever technology they decide to use in their strategy remains relevant to the agency’s operations,” Menon said. “Zero trust is a journey, a unique journey for every agency. So, make it relevant to your agency.”