To build an effective zero trust approach, emphasizing identity and privileged access management can help agencies minimize their attack surface and cyber risk, Federal officials said during ATARC’s zero trust summit on November 18.
The very parameter of a zero trust approach is inherent distrust. Organizations can restrict access controls to networks, applications, and the environment without sacrificing performance and user experience. The Chief Information Officer at the U.S. Department of Health and Human Services, Gerry Caron, said agencies could build an even more effective strategy with an identity-centric system.
“With this approach, we are implementing a set of security disciplines that allows [agencies] to enable the right individual to access the right resources at the right time for the right reasons,” Caron said. He advised that agencies narrow in on restricting privileged access “do not give more access than what is needed to individuals.”
In addition, according to Caron, the first step in this approach is discovery, a complete understanding of what is on an agency’s network, from users to applications. By having this clear understanding, an agency can delegate access and put up any necessary guardrails.
“Having a clear understanding creates a clear picture of who your users are, who has privileged access, and if any guardrails are needed,” Caron said.
Deidra Bass, the deputy chief information security officer at the Defense Intelligence Agency, insisted that agency wide-spread education comes even before discovery.
“Zero trust is not a product, and it’s not just IT; it’s a wholistic mind shift that an agency as a whole needs to understand,” Bass said.
Additionally, Bass insisted that staff must unanimously practice cyber hygiene to position an agency to succeed in its zero trust approach. Without a proper foundation of cyber practices, a zero trust approach may not function properly, and according to Bass, this is something that agencies still struggle with.
“There are still agencies that struggle with basic cyber hygiene. For us to really mature a zero trust model… we are going to have to get better at things like vulnerability management, patching, and encryption,” Bass said. “Getting really good at the basics is going to position us in a better place [in terms of security] going forward.”