Federal IT teams must weigh the latest zero-trust tools to ensure safety while also allowing for mobility in where and how employees work.
IT experts continue to refine best practices around squeezing the most out of mobile devices while adhering to zero-trust principles, according to those on a June 27 webinar hosted by the Advanced Technology Academic Research Center.
Civilian agencies face a Sept. 30 deadline to establish a zero-trust security architecture, and while their IT leaders generally feel prepared, the preponderance of laptops, cell phones and tablets that began during the pandemic makes continuous authentication tricky.
“We’re still trying to get … all the pieces that need to fit together to get user A with data B, and we need to continually ask in a way that doesn’t slow folks down, doesn’t lock down devices, and doesn’t force people to try and work against security because we’re making it too difficult for them to actually get their jobs done,” said Nuclear Regulatory Commission CISO Jonathan Feibus during the webinar.
Click the banner below to read the 2024 CDW Cybersecurity Report.
Rules-Based Access and Controls and Device Health Statuses
Agencies can instead provide more rules-based access and controls to better determine when and where users have access to specific data and applications. That means IT staff needs to be able to quickly assess “why this device is talking to that data set or why this person is on this device, at this time, from that location,” Feibus said.
Security teams could also require that devices have a certain health status, with the most up-to-date software and operating systems, before allowing access to work materials, said Kern Smith, vice president at mobile security company Zimperium.
Federal IT shops are better equipped now to manage the vulnerabilities that come from the modern, work-from-anywhere environment.
“Organizations are saying, ‘OK, the mobility standards that I wrote 10, 15 years ago when we were all using BlackBerries, maybe let’s go back and revisit them now that we have the MITRE mobile ATT&CK framework, now that we have the NIST guidelines,’” Smith said.
Cybersecurity Can Be Too Strong
Because agencies have a more sophisticated understanding of device threats and risks, they can intelligently apply controls without unduly restricting access and overburdening users — allowing them to get their jobs done, Smith said.
IT leaders must continue to focus on their agencies’ missions so that offices can advance their organizational goals and improve their cybersecurity simultaneously, said Col. Gary Kipe, deputy director of the Zero Trust Portfolio Management Office within the Department of Defense’s Chief Information Officer.
“We’re at a point in the conversation where we’re no longer talking about perimeter security,” Kipe said. “If we make cybersecurity so strong and so robust that no one can access the data to include authorized users for authorized purposes and authorized ways, we’ve locked everything down, everything’s safe and secure. But we’ve basically killed our mission, which means we’re not really safe.”
UP NEXT: How to help tackle the rising cyber threats in manufacturing.
