Security

The State of Federal Thinking on Zero Trust

Increasingly, federal IT leaders are growing comfortable with zero-trust security and are thinking of ways to deploy it.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

As federal agencies continue to support large numbers of remote workers, IT leaders have started to evolve their thinking on zero-trust security architectures. Increasingly, they are becoming more comfortable with the concept and are seeking to lay the foundation for deployments.

Zero trust represents a mindset shift in cybersecurity in which every transaction is verified before access is granted to users and devices. In the federal government, it is still a relatively nascent approach, with some pilot programs here and there. However, IT leaders seem to recognize that cybersecurity models are increasingly going to be defined by a zero-trust architecture.

The Defense Department, the Education Department and the Small Business Administration are among the agencies that are warming to zero trust and see it on their roadmaps.

Federal CISO Grant Schneider said last month that although the federal government has long segmented its networks, the operating model was “you presumed once someone had access control … that they were entitled to see almost anything in there.”

“That’s great for information sharing; it’s a challenge from a security standpoint because it’s an opportunity for our adversaries,” Schneider said at a May 18 event hosted by FCW, the publication reports. “When an outsider or an adversary get into your system, they really only look like an adversary for a short period time, because they pretty quickly are able to pivot to leverage real credentials in some way shape or form, and suddenly your outsider looks like an insider. So the fact that you built an environment where you’re trusting all of your insiders is really not going to help you and not going to allow you the capabilities that you need.”

What Is Zero-Trust Security?

Identity management and authentication are central to zero trust, and zero trust enables more granular control related to access in an organization’s environment.

In February, the National Institute of Standards and Technology released a second draft special publication for public comment on zero trust. As NIST notes, zero trust involves “minimizing access to resources (such as data and compute resources and applications) to only those users and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request”.

The special publication is designed to give federal IT leaders a “conceptual framework” using vendor-neutral terms, Scott Rose, a computer scientist at NIST, said in January at Duo Security’s Zero Trust Security Summit, presented by FedScoop.

As NIST notes, zero trust refers to an “evolving set of network security paradigms that narrows defenses from wide network perimeters to individual resources.”

A zero-trust architecture uses zero-trust principles to plan enterprise infrastructure and workflows, according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” NIST notes.

“Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established.” The NIST publication gives general deployment models and use cases where zero trust could improve an enterprise’s overall cybersecurity posture.

How Agencies Are Moving Forward on Zero Trust

Guy Cavallo, the deputy CIO at SBA, says the agency plans to move forward on zero trust. SBA is modernizing its network architecture to incorporate zero trust.

“Our next step is to take all of this to every one of the 115 different SBA locations to zero trust networking and break apart from everything being connected and once you are on the SBA network, you are trusted, to not trust anything,” Cavallo tells Federal News Network. “Because of the cloud tools we are using, those cloud tools will allow us, in effect, [to] be the Trusted Internet Connections (TIC) for each one of those 100-plus locations and see the same dashboards that we are seeing now through the traditional MTIPS approach. That for us will be a revolutionary change.”

Steven Hernandez, CISO of the Education Department, tells Federal News Network the agency has been “tremendously productive” during the pandemic with remote workers, despite the fact that it rolled back its telework policy prior to the pandemic. However, that remote traffic has led the agency to increasingly see the need for a zero-trust model.

Hernandez says agencies need to build trust in their cybersecurity vendors to fully implement zero trust.

“Part of the trade-off in the leveraging cloud solutions and other outsourced solutions is we provide a certain amount of trust with our vendors, that they’re going to keep us safe and that they’re also going to advance their solutions,” Hernandez tells Federal News Network. “Our side of that equation is we have to keep up as well, and when we do that, it’s great, because there’s two opportunities there: One, we keep up to date and with the current software and technologies, but two it gives us an opportunity to also make sure that as new interfaces and applications become available to support things like zero trust architectures, we take advantage of those situations.”

Improvements in machine learning, robotic process automation and artificial intelligence at a lower cost has made zero trust easier to shift to, Hernandez says, though it remains a largely aspirational goal in the government.

“One of the foundational pieces of zero trust is the more data you have, the better you understand it. The more history of data you have, the better decisions your automation can make,” Hernandez says. On the defense side of the government, the Defense Innovation Unit said last week it will launch a pilot for a secure cloud management solution with Zscaler that may lead to granting zero-trust access to about 500,000 concurrent users at the Defense Department.

The Defense Information Systems Agency has been working with the U.S. Cyber Command on a zero-trust pilot. “Zero trust is the architecture or framework that we are building out for overall continued access and authentication mechanisms across the network and at all layers of the network,” Jason Martin, the vice director of the Development and Business Center at DISA said in September, according to Federal News Network.

Despite the momentum, it will take a while for widespread adoption of zero trust, Schneider says.

“We’re still riding a lot of networks and environments that your IT department or you don’t know much about,” Schneider said. “We don’t know how they’re run, we don’t know who’s on them, we don’t know what they look like.”

Zero-trust technologies are not that complicated or difficult to deploy, Schneider says, but agencies need to ensure they have clear rules for access control. Those policies and decisions, Schneider says, are “going to come from the mission side, from the business side who understand their data and their environment.”

gremlin/Getty Images