U.S. Air Force Chief Software Officer (CSO) Nicolas Chaillan this week emphasized the importance of moving towards zero trust security architectures within the Department of Defense (DoD) – a process that DoD Acting CIO John Sherman has said is a top tech priority for the Pentagon.
“Zero trust has evolved, and Federal agencies have implemented various versions of a zero trust architecture,” Chaillan said during a July 6 online event organized by Tetrate. “But, a fully embraced zero trust architecture is a cybersecurity architecture based on zero trust principles designed to prevent data breaches and limit internal lateral movement at every level of an agency,” he explained.
Chaillan laid out the two foundational aspects of zero trust architecture, the first being micro-segmentation based on user identity and the devices used. The types of devices that an agency uses are fundamental to the mission, according to Chaillan, and it’s imperative that Federal agencies not pretend there is no end-point risk with devices. Therefore, in a zero trust architecture, a focus on devices and the person who uses them is vital. And the second foundational aspect, he said, is a data-centric security strategy.
And as the DoD continues to make significant progress in creating a secure software development operations (DevSecOps) environment, the department has had to bring in cybersecurity experts and practices, which entailed implementing zero trust security in its DevSecOps environment.
“Zero trust matters, especially on the government side. That is why the foundation of our DevSecOps environment is zero-trust,” said Chaillan.
The Air Force CSO explained his take on the Biden administration’s recent cybersecurity Executive Order (EO) and its significance to Federal agencies like DoD.
“The EO has two major takeaways,” he said. “The first was a significant push for zero trust architectures and zero trust principles. And the second was modernizing software security, and that directly ties to DevSecOps for us,” Chaillan said.
The EO requires all Federal agencies to develop and deploy zero trust architecture, especially to secure software used to makes informed security decisions in production environments. “[The EO] is a clear indication that zero trust is the only way forward,” said Chaillan.