It’s no longer a question of whether Federal agencies should implement a zero trust model for cybersecurity, but what methods they should implement to get to that goal.
Several experts from the private and public sectors earlier this week discussed how the right application segmentation strategy – a security approach whereby organizations isolate and place safeguards around sensitive IT data and applications – can lay down a strong foundation for a zero trust architecture.
Gary Barlet, the Federal Chief Technology Officer at lllumio, explained that keeping track and having visibility into how information flows is critical to understanding how applications in an organization’s network function.
“Once you understand that, you can draw boundaries around these applications,” said Barlet during an August 7 webinar hosted by Illumio and GovExec. “With segmentation, you can draw a ring around all these various applications. So, what happens if one application gets compromised? It’s self-contained and it can’t infect other applications within your network.”
The reality of the cyber landscape is that it’s not a matter of whether an organization is going to get compromised, but when. According to Barlet, a security strategy such as application segmentation will prevent cyber criminals from having unfettered access across an enterprise.
Gerald J. Caron, the chief information officer for the International Trade Administration, explained that implementing an application segmentation strategy is about “reducing the risk surface” of an organization.
“You’re putting the protection closer around the things that you want to protect,” Caron said. He said ITA is undertaking a gap analysis to understand how information moves around its network, and to figure out what protections need to go around what applications.
“We’re still formally doing that gap analysis right now … [and] asking ourselves if I did not spend another penny, what can I do with what I have? We are also trying to understand what the maturity is of those things that we are doing. And then once we have those gaps, we can develop that roadmap to zero trust,” he said.
Another critical component of a segmentation strategy is the people factor. According to Mark Stanley, the zero trust lead for NASA, when implementing zero trust it’s critical to get “the word out to all of the various organizations and stakeholders within NASA to ensure everyone is on board to understand where we’re going, how we’re going to get there, and what it’s going to take from everybody.”
Stanley explained that not including people from every corner of an agency runs the risk of creating silos not just in delivering IT services, but also in security.
“As an agency, we had to work together across our service lines to make sure that we were delivering not only IT services but zero trust principles to the agency,” Stanley said.