FCW Perspectives
Similarly, another added, “we always talk about access and the data as if data is always sitting still. What are we doing to protect it when it is in motion? That needs to be addressed, too. I don’t hear a lot of that when I hear people talk about zero trust.”
“Some system owners don’t really know how their data flows,” another participant said. “It’s going to make your life much more difficult if you cannot baseline that normal.”
Artificial intelligence and analytics will be essential to making sense of all that data, the group agreed. CIOs must become data analysts, one official said, because “you’re going to have to use analytics in order to help manage your networks.”
Is federated trust feasible?
Such efforts are difficult enough for a single in-house system, but some participants expressed concern that the increasing reliance on shared services and cross-agency collaborations could make zero trust prohibitively complicated.
“I still think there is a tremendous complexity as we continue to outsource capabilities,” one official said. “How do you manage where you may have 50-plus software services, where your data is beginning to be stored in vendors’ environments versus your environments? There are areas where we just don’t have the 100% visibility within those environments.”
A participant from one of the larger federal agencies agreed: “Where we ran into a lot of trouble was in defining the minimum standard for an identity. Does it have to be hardware-based? Does it have to be certificate-based? What’s the minimum standard we give to someone to say, ‘Now you can be trusted as part of this distributed federated trust’?”
You can’t buy zero trust —
but still, buy carefully
When the conversation turned to
practical implementations, one official quipped: “Everyone knows all you have todoisjustgobuyit.Itcomesinabox. Just install it and everything works.”
After the laughter subsided, though, several participants noted that procurement must be approached with an eye toward becoming zero trust-capable.
“I think people forget about the component technologies that make something like zero trust possible,” one official said. “You’re talking about things like flexibly defined software-defined networks. You’re talking about things like strong Transport Layer Security certificate management. These things
have to exist before you can even really start to approach a concept like zero trust.”
The roughly year-old Federal Acquisition Security Council can help define best practices in this area, another official said, and yet another noted that the Defense Department’s Cybersecurity Maturity Model Certification program could be “a foundational step to ensure that the network and the people we’re working with are capable of protecting our data.”
But ultimately, participants agreed, each agency must scrub its own acquisition stream to make sure the assets and services will support zero
40 July 2020 FCW.COM
“I think people forget about the component technologies that make something like zero trust possible”.