FCWPerspectives
Why zero trust is having
a moment
Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security
Just a few years ago, zero trust security for federal systems
was wishful thinking. The benefits were obvious, but actual implementation seemed inconceivable. Today, forward- leaning agencies are actively incorporating zero trust into their security models, and Federal Chief Information Security Officer Chris DeRusha has said the White House will push all federal agencies toward a “zero trust paradigm.”
FCW recently gathered a group of IT leaders to explore why
this long-discussed concept is now getting traction and how they are approaching what
is still a somewhat daunting transformation. The discussion was on the record but not for individual attribution (see page 41 for the list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
Old ideas but new capabilities
When asked for a baseline definition of zero trust, participants described the concept as “context-based least- privileged access” or “ICAM done right,” referring to identity, credential and access management.
One security executive said, “I don’t know why we can’t just defer to the [National Institute of Standards and Technology’s] Special Publication 800- 207 definition, which says right upfront that zero trust is all about moving away from static network-based con- trols on access to things and focusing instead on people, their devices and the resources they’re trying to access. So it’s a break from traditional thinking. We have to be a bit more flexible in the way we manage access to data and to the systems that manage that data.”
Another criticized the zero trust label itself, arguing that “it focuses us in the wrong place. We have to figure out what we can trust. And it’s not just the people, it’s not just the user, it’s the entire context for the entire communications.”
Part of the confusion about zero trust stems from the fact that it incor- porates security concepts that have been around for a long time. “This is not some brand-new thing that has come out of the ether,” one partici- pant said. “Years ago, we talked about attribute-based access control.”
The group agreed that the difference
today is that zero trust looks beyond users to manage access control and aims for constant monitoring and a dynamic, data-driven response that would have seemed unworkable just a few years ago. “It’s really about the technology and capabilities we have at our disposal now that we just didn’t have before,” one official said. “We have AI and machine learning avail- able as a service in the cloud. When we think about zero trust, these have exist- ed probably since the dawn of time, but how the technology has shifted and how we’re able to leverage that tech- nology are the real big drivers here.”
Embracing those new capabilities, however, requires changes to the IT infrastructure and especially to the data agencies must capture and inte- grate. As one participant said, “It’s important to highlight that because folks can say, ‘We’ve been doing this for a long time. You just put a differ- ent label on it.’ No, this is different because we’re driving toward a future architecture that is better optimized for all the new capabilities that have been developed.”
It’s not just networking
Government’s interest in zero trust originally focused on computer net- working. Yet when the federal CIO Council asked ACT-IAC to explore the applicability of zero trust security in 2018, “it became apparent almost
May 2021 FCW.COM 39