When It Comes to Zero-Trust Pillars, Less Is More
The beauty of CISA’s ZTMM is that agencies aren’t expected to achieve dynamic or real-time zero trust for every pillar, says Jim Richberg, public sector CISO and vice president of information security at Fortinet.
Instead, agencies determine their needs based on their missions and assets.
“I'm always a less-is-more guy,” Richberg says. “The fewer variables and priorities I have to keep track of, the better.”
There’s a temptation to separate compute resources within their own pillar, but that just overcomplicates things for agencies. Zero trust is about cyber resilience — absorbing attacks and limiting their ability to spread — not perfection, Richberg adds.
Identity Is the First Pillar for a Reason
It isn’t an accident that identity is furthest to the left in CISA’s diagram of ZTMM .
“It's pillar one for a reason, and typically it's because nothing happens until somebody requests access to a piece of data,” says Sean Frazier, federal chief security officer at Okta. “When you request access to a piece of data, you've got to log in to something, so it's super important.”
An agency that can’t validate the users and devices on its network can’t secure operations.
The government finds itself at an inflection point: Having spent the past 20 years validating identities with Common Access Cards and Personal Identity Verification cards, it is now in the process of modernizing. That dovetails nicely with zero-trust security, which aims to let any user access any data anywhere — provided they have permission, Frazier says.
A decade ago, federal employees largely came into the office, plugged their PIV card into their computers and did their work. Today, the “new world order” sees them accessing their agency’s network from home, airplanes or the corner coffee shop, Frazier says.
“Most of the times when the bad guys get in, it’s because they've done something where they’ve gotten someone’s credential. Either they guessed someone’s password or they bought someone’s password in a big database of passwords,” he adds. “One of the things that the identity pillar of zero trust shores up is making sure you’re using strong, phishing-resistant multifactor authentication.”
A bigger challenge for agencies is figuring out how to adapt their existing identity, credential and access management, he adds. The National Institute of Standards and Technology is currently working on its draft Digital Identity Guidelines, which will align existing ICAM with modern Fast Identity Online 2 (FIDO2) and WebAuthn authentication standards.
Identity proofing presents a good starting point for modernization because the in-person PIV card issuance process doesn’t lend itself to the current economy, Frazier says.
“Are you going to fly that person to D.C. to go through that process, or can they do it remotely from, say, Minneapolis?” he asks.
As for authentication, a strong single sign-on must be ubiquitous across applications — no matter how many an agency has, Frazier says.