How Agencies Can Reduce Risk ad Enhance Security
DISA plans to move away from a network-centric security structure to an approach based on secure access service edge (SASE) and software-defined WAN, essentially replacing the VPN functionality the agency has been using for remote access and enabling conditional application access, according to Cyber Security and Analytics Director Brian Hermann.
“SD-WAN allows you, when combined with that conditional access, to give direct access to capabilities based on information about the user, endpoint and network that they’re connecting from,” Hermann says.
“If some bad actor does get into the network to get access to one particular piece of data or application, they can’t move laterally using SD-WAN.”
To help identify potential solutions, DISA issued a $6.8 million Other Transaction Authority (OTA) contract in January to a global technology consulting firm. Hermann says these arrangements are typically intended to obtain nontraditional partners’ assistance in areas too new for defense industrial base teams to be experts in.
DISA is also partnering with the Air Force to test the configuration, functionality and interoperability of new technologies to ensure they won’t pose scalability problems or other issues.
“We really don’t want to get this wrong,” Hermann says. “We have selected a set of capabilities to put in place, and some technologies specifically, but we’re not married to those. The point of doing this in a lab first is to see if we have to pivot on any of these technologies.”
Other agencies might also benefit from a pilot-based zero-trust approach.
“Develop a transition strategy based on what you intend to implement,” Hermann says. “But don’t put all your eggs in one basket. This OTA approach gives us the ability to pivot. Thus far, that’s been very effective for us, and I suggest it’s probably a good thing for others as well.”
How Agencies are Using the Cloud to Support Zero-Trust
The January 2022 federal zero-trust memorandum encouraged agencies to “make use of the rich security features present in cloud infrastructure,” and noted some agencies are using cloud services to monitor access to sensitive data and implementing enterprisewide logging and information sharing capabilities.
The National Science Foundation transferred several items to the cloud when it moved to new office space in Alexandria, Va., two years before the pandemic — which helped prepare the agency for zero trust.
“We didn’t want to move everything in the data center to Alexandria, because we had a smaller data room there,” says CIO Dorothy Aronson. “In my mind, the whole zero-trust evolution began when we started moving our infrastructure to the cloud, because leveraging the benefits of the cloud is part of realizing the benefits of zero trust.”
The agency is now creating new data lakes and other system elements with segmentation in mind. Some cloud-based tools, Aronson says, such as Microsoft Office, also help simplify the process of isolating and securing assets.
“The data associated with them resides in a distributed world,” she says. “All of those things allow for segmentation more easily. Our data strategy is based on personas we’ve defined, which is new.”
Taking a similar asset and identity management stance can position agencies to implement role-based access.
“Zero trust is a different kind of security,” Aronson says. “We identify the person first and set up the network so that person can safely reach the things they need. An important part of leveraging the benefits of zero trust is thinking about where your systems will reside and what kind of identity infrastructure you need to put in place.”
The Key Parts to Zero-Trust Preparations
Network, device and endpoint inventories are a key part of the Department of Veterans Affairs’ zero-trust preparations. Multifactor authentication, including Personal Identity Verification card use, has also been a focus for the agency.
The VA reports its metrics to the Office of Management and Budget, such as the number of personnel using MFA to access the network and apps. Vicki Michetti, acting executive director of information security policy and strategy, says that’s currently about 90 percent of employees.
With a large-scale change such as the evolution to zero trust, communication is a must. The VA has found involving all parties who will have roles in implementing zero trust — including system administrators, application developers and administrators who take daily care of the applications — has been helpful, according to Angela Rust, senior technical adviser for solution delivery.
“One of the most beneficial conversations we had both with DISA and the Defense Health Agency was just to pause and really evaluate all of the technologies we have in place,” she says.
“We bring everybody into a room, have tough conversations about where we’re going in the future, come to a consensus, and then we don’t have any splintering.”
Federal agencies, O’Brien says, face challenges when transitioning to zero trust, from cybersecurity skill shortages to privilege-level legacy system compatibility issues and procurement delays.
“The concept of zero trust has been around for over a decade,” she says. “It’s been slow to gain traction at some government agencies because of complexities involved with implementation.”
“Agencies should add solutions in a phased approach that first focuses on high-risk connectivity areas,” O'Brien adds. “Involve key stakeholders and establish communication updates with upper management and end users to boost the likelihood of a successful deployment.”