The new paradigm emerging for cybersecurity is to never trust anyone at any time, at least for some federal agencies.
“We’re in the process of implementing zero trust or near-zero trust,” said Andrew Orndorff, CISO and associate CIO for cybersecurity, Department of Transportation, during a panel at MeriTalk’s Zero Trust Cyber conference in June. “In the process we learned a lot of things.”
Orndorff said the department learned “to trust our data even less than we thought.” When his office started mapping its networks, they learned there were 50 percent more assets on the network than they thought, which meant there were a lot of devices that were less secure than expected.
On the other hand, “It helped us gain support from senior leadership to do something about the problem,” he said.
“The concept of zero trust is straightforward,” shared Maureen Gray, Chief Operations Officer at Blue Ridge Networks. “A zero trust architecture eliminates the concept of a trusted network within a defined boundary to the outside and instead creates a much smaller perimeter around an agency’s most sensitive assets. The advantage here is that a zero trust architecture enables much more granular security and control of the most valuable data or assets, providing a more secure environment overall.”
At Transportation, Orndorff said, the department is modernizing its software and hardware in stages, moving “toward orchestration and automation for zero-touch provisioning.”
“We frequently make decisions for access as long as you have the right badge or right credential, and you’re working on the right equipment – that’s very simplistic,” he said. “Most [bad actors] have an easy time getting in the door … We want to know the difference between when the chief data officer is logging in from home or the office, [and] alarms to go off if he logs in from Oklahoma City.”
He explained that you have to assess the environment for normal behavior, assess anomalies, and be able to respond. “There are very few people in the market with the right skills to run all that,” he said. “Security people aren’t going to be looking at logs, [they’re] going to be parsing the rules, looking to make sure [the network] runs properly, and use machine learning” to respond to events.
For the U.S. Navy, the idea of setting up “microperimeters” sort of comes naturally, said Rear Adm. Danelle Barrett, director, cyber security division, USN.
“We’ve always relied on satellites, which have a very limited bandwidth … We want to take massive amounts of data and store it on a ship, so that when we lose satellite access we have it,” Barrett said. “When we lose [the link], we still have 80 percent of the data needed for our work.”
She said the service is pursuing the use of shared infrastructure. “Right now we have a dog’s breakfast of equipment and apps … We want to use standard ports and protocols [in a] standard development environment, and push pieces of code out to ships. If you use standard data [formats], standard ports and protocols, I don’t have to validate all over again.”
Barrett cautioned that the push to zero trust will take time.
“The Navy doesn’t turn on a dime. We’re hoping the return on investment – just what you can do with the information that we can’t do today – will be the impetus to move faster,” she said. “We have to be able to show a big financial return, [but] what warms my heart is the operational efficiency.”
Learn more about how Zero Trust network segmentation can help boost your security posture here.