The recent Executive Order on Improving the Nation’s Cybersecurity directs agencies to move to zero trust security architectures, in which no person or device is automatically trusted. However, many agencies were already well on their way to zero trust, said Drew Epperson, senior director of Federal engineering and chief architect for Palo Alto Networks Federal. In a new MeriTV interview, Epperson addresses the current state of zero trust in the Federal government and offers practical steps agencies can take to accelerate zero trust adoption.
Agencies have been migrating to zero trust for several years, according to Epperson, who cited work at CISA, NIST, DISA, and NSA as prime examples of the Federal effort to grow the government knowledge base on zero trust.
Epperson has more than a decade of experience in designing and implementing enterprise cyber solutions for the Federal government. On MeriTV, he discusses actions agencies can take to get to zero trust, whether they are just beginning or well on their way. These actions include:
- Identify the agency’s top priorities – the mission-critical data, systems, applications, and services, and start by securing those
- Identify cybersecurity investments and align those with zero trust guidance from CISA, NIST, DISA, and NSA; evaluate gaps
- Create context-based access policies
- Establish common analytics across on-premises and cloud environments
“We like to call [identifying top priorities] the ‘crown jewel approach,’” Epperson said. “Instead of trying to solve the entire problem at once, agencies need to articulate what the mission-critical objectives are and focus on those challenges.”
The COVID-19 pandemic is a prime use case for zero trust, he observed. “I don’t think anyone really planned for 95 percent remote work. … Now that everyone is remote … you need to find a way to get those remote users – or possibly a remote branch – back into core data centers, but also public cloud infrastructure. CISA has produced some good guidance around TIC 3.0 and specifically around remote workers and remote branches.”
Automation can help agencies establish and maintain zero trust security.
“Attackers use automation everywhere possible to move at machine speed across networks and do the most damage in the shortest amount of time,” Epperson noted. “Unless we’re operating at that same machine speed, using all of the machine learning and automation technologies available to us, we’re likely always going to be behind.”
For more insights from Epperson, check out the full interview.