Inventory Current Cybersecurity Tools to See What Will Work
“There are a lot of existing things in your portfolio that you can take and apply to zero trust, but not today,” said Michael Epley, chief architect and security strategist for Red Hat North America public sector.
That’s probably because of a second challenge, he said: understanding how to use and deploy zero trust.
“Zero trust is fundamentally how you make access control decisions,” he said. “And how you make those decisions is a business decision. Most organizations don’t know how they make those existing decisions today, or it’s in some guy’s head in the IT department. Zero trust says that’s not good enough anymore.”
The Inspector General’s Office for the Department of Health and Human Services has been communicating the message behind zero trust — that it enables stronger cybersecurity — to employees to help them accept the idea.
“We’re big on zero trust. We really worked with our customers, trying to help them understand it, trying to reduce the fear of it,” said CTO Nicole Willis. “It’s been a culture change.”
At the State Department, IT officials are taking stock of existing cybersecurity tools to see what items can be blended into a new zero-trust environment that will posts around the world.
“Because we’re so dispersed, zero trust is a good thing. In many countries, we don’t trust the networks that we’re working on,” said Landon Van Dyke, CTO for the State Department’s Office of Management, Strategy and Solutions. “It’s actually allowing us to harden certain activities which we otherwise, under traditional architecture, would not have been able to do.”
Among the tools the department is examining is SD-WAN “and how we integrate that with a new architecture,” Van Dyke said, “as well as different types of security measures that we’ve held on to as security blankets.”
IT Experts Must Convey the Danger of Not Adopting Zero Trust
Having a solid plan, such as those delivered to OMB in March, is key to a smooth zero-trust deployment, Sanders said.
“We’re all starting on the zero-trust journey from different points,” he said. “A lot of them have a second factor, at least, as part of their authentication process, and some don’t. You have to understand where you are before you can start off on a journey.
“You’re not going to have all the money you’re going to need to get to the end. There is no end, there is no finish line. It’s just constant progress.”
But without acceptance on the part of government users — the most important customers of zero trust — even taking the first steps will be difficult, Sanders said.
“We have a responsibility on the security side of the house to communicate the risks more effectively than we have in the past,” he said. “That’s why we make the business decisions that we do, because we’re not doing a good enough job explaining to business leaders why they should care about it more than they do.”