The recent escalation in cyberattacks against private and public sector organizations has compelled CISOs to reexamine their cybersecurity postures. Both the National Institutes of Standards and Technology (NIST) and the Biden Administration have recently released publications about implementing Zero Trust Architecture (Zero Trust) to agencies’ cybersecurity strategies. The President’s Executive Order, issued in May following NIST’s Special Publication at the end of 2020, illustrated how agencies need to refresh their security to incorporate Zero Trust in order to better defend against threat actors. Days after the Executive Order was published, the ransomware attack on the Colonial Pipeline occurred, which disrupted the United States’ largest fuel pipeline. These events continued to alert agencies of the importance of Zero Trust and how implementing NIST’s model can evolve security strategies for the better.
Recently, Dovarius Peoples, Chief Information Officer at the U.S. Army Corps of Engineers; Steven Hernandez, Chief Information Security Officer at the Department of Education; Kevin Bingham, Zero Trust Technical Lead, Cybersecurity Directorate at the National Security Agency; Paul Morris, Chief Information Security Officer at Centers for Disease Control and Prevention; Jim Richberg, Public Sector Field Chief Information Security Officer and Vice President of Information Security at Fortinet; John Davis, Vice President, Public Sector at Palo Alto Networks; and Joseph Hamblin, Chief Technology Officer, Department of Defense at Verizon met to discuss how Zero Trust security strategies will influence government now and in the future.
Kevin Bingham, Zero Trust Technical Lead, Cybersecurity Directorate at the National Security Agency, commented that agencies need to break away from the “legacy mindset of programs and what’s been done in the past” and shift focus to improving security from inside the network. “We looked at the Zero Trust model and thought that it encompasses a disciplined approach that starts with understanding different pillars of functional capability areas that workers need” to concentrate on. With Zero Trust strategies, agencies embrace the concept of fully verifying users with no implied trust.
Joseph Hamblin, Chief Technology Officer, Department of Defense at Verizon, emphasized how important it is for agencies to educate and train users in order to successfully deploy Zero Trust strategies. At the U.S. Army Corps of Engineers, they developed a Zero Trust playbook that goes through 12 different areas. “When most people talk about Zero Trust, you only see it from about three different perspectives, but we’ve gone from all aspects of Zero Trust to include the training aspects, from the executive level down to the technician that is responsible for implementing Zero Trust,” shared Dovarius Peoples, Chief Information Officer at the U.S. Army Corps of Engineers. “Ultimately, in order to implement and execute, you have to be trained and we put a heavy emphasis on the training of our personnel.”
While applying Zero Trust strategies is a gradual process, Hamblin said that the Executive Order “put an emphasis on collapsing the time frame in order to maintain performance.” He mentioned that one way to do so is through “knowing who the actual user of the device is, so agencies can start making identity decisions about what resources they should receive access to.” Centers for Disease Control and Prevention’s Paul Morris said that, by performing “administrative and technical checks, agencies can make sure users are granted access to only what they need. We go through these checks before we grant access. We cycle the credentials users are using with a new password every time that gets thrown in the trash afterward. Then, we watch them and make sure that those users who are using those elevated privileges are staying where they should be.”
Implementing a Zero Trust approach will shift agencies’ perspectives on cybersecurity and will improve cybersecurity standards. Training and education will make implementation easier for agencies and help to accomplish their mission with these new strategies. Zero Trust is “the pursuit of perfection,” concluded the Department of Education’s Hernandez. “We will likely never get there, but we’re going to pursue it.”
To hear more from the Zero Trust panel, click here.