The focus on cybersecurity is an all-of-government approach when it comes to the offensive side of the coin, and an equally robust all-in focus on defensive cybersecurity measures. To that end, the Office of Budget and Management released the “draft” strategy for “Moving the government to a Zero Trust Architecture” in early-September. Additionally, the Cybersecurity Infrastructure Security Agency (CISA) simultaneously issued their “Cloud Security Technical Reference Architecture and Zero Trust Maturity Model documents.” These initiatives kick off a transformative initiative to morph the manner in which cybersecurity in the federal government is addressed, and in doing so, presents a tremendous opportunity to be participatory for industry.
Why Zero Trust?
Jen Easterly, CISA Director says it best, “The Zero Trust Maturity Model is one of the many ways CISA is helping federal agencies protect their systems.” She continued how, “CISA teamed up with the United States Digital Service (USDS) and the Federal Risk and Authorization Management Program (FedRAMP) to co-author the Cloud Security Technical Reference Architecture, which will guide agencies’ secure cloud migration efforts.”
While the National Cyber Director, Chris Inglis, focused on the adversaries of the nation in his comment re the need for evolving to Zero Trust with how, “Our adversaries are constantly adapting, and so must we. Zero trust principles are at the core of how our federal agencies must evolve to meet today’s cybersecurity demands. Our draft federal zero trust strategy will push agencies in the right direction and help make a more coherent federal cybersecurity posture.”
Zero Trust – Gravity Well of opportunity
The opportunity for the private sector is significant. Oliver Rochford, security evangelist with Securonix characterized the Zero Trust initiative as a “gravity well” for industry. The federal CISOs will be challenged. His recommendation, “try and solve the problem with as few vendors as possible, prioritize relationships and ‘prove’ capabilities re prioritizing data source collection.” The pie is large, and companies should plan on “building alliances across companies in a transparent manner.”
The bar is high, and the challenges are significant, especially when the government’s ability to operate at the required speed in the cybersecurity space has historically lagged that of industry. Reaching out to industry there was consensus how Zero Trust implementation was going to be organizational dependent. Ashok Sankar, vice president of solutions marketing at ReliaQuest said, “each Zero Trust implementation needs to be unique to an organization’s needs.” Challenges will persist, which include the need for “contextual access” with the “automation and orchestration of data flow.” Sankar was optimistic that the effort was doable, though also emphasizing the importance, “Zero Trust isn’t a product, it is an organizational dependent paradigm.”
He was joined in these views by Bindu Sundaresan, director within AT&T Cybersecurity who observed “Zero Trust Architecture means different things to different people, as organizations already have certain aspects of Zero Trust in place.” He continued, that the strategy should focus “where you connect users to applications, not the network. The [Zero Trust Architecture] journey will depend on an organization’s use cases, business flows, risk profile, and the business function of the network.” While Maor Franco senior director of product marketing at Pentera, “Believes that this push to a zero-trust framework will benefit security operation teams and further limit adversary reach.”
CISOs and FSOs should pay particular attention to Franco’s observation on how, “The evolving threat landscape and adversary sophistication leads CISOs and security teams to acknowledge that legacy vulnerability-centric tools are unable to evaluate true risk and impact. Instead, companies should leverage automated security validation to run real attacks, ensuring readiness and a validated zero-trust framework.”