“For example, someone gets a bad performance review, and then all of a sudden we start to see a lot of data traffic and a lot of file [input/output],” that official said. “Those two things together are pretty suspect. And so when we think about the zero trust architecture, we have to start broad- ening that concept.”
“In many cases, this is new for orga- nizations,” another participant said. “There’s heavy bifurcation and firewall- ing between those areas. To move zero trust forward into its truly optimized form, we have to be working with our chief data officers to understand what data we have in the environment that might be useful for us.” Chief privacy officers are also essential to the effort, the official added.
Even with the data feeds more tradi- tionally used for security, the old ways of operating need to be revisited. Secu- rity teams can no longer own all the tools, one official said. “For most of us, when we deploy security, by golly, that means pizza boxes in the data center. We have to take a step back and be willing to say, ‘What I really need is the data. And I need it in this format and in this frequency in this place. And if you can get me that, do what you want, but I need the visibility so I can understand risk.’”
Where to start?
The idea of implementing such an all- encompassing model is daunting, the group acknowledged. Even Google, which pioneered the use of zero trust, took years to get “to where they felt like they had truly adopted” it, one offi- cial said — despite being a centrally organized, lightly regulated company with “fairly young IT infrastructure.”
“It is going to take us a lot longer, frankly, to move in that direction,” the official said.
But incremental progress can be made, others argued. “You can’t just put zero trust on everything — you’ve got to prioritize,” one official said. “So
you start by identifying the high-value assets, the most important data, and continually iterating as you get this in place.”
Another suggested working on “one use case at a time or one user com- munity at a time, starting with remote users where it’s easier to put in inline enforcement, especially with some of the cloud-enabled solutions where the policy can follow the user.”
“It’s taking it from a monolithic, endless project to, ‘We can do it here, and then we can do it over there,’” that official said. “And every time we do it, we’re building toward a larger strategic initiative.”
There is no zero trust merit badge to be earned, another participant said, and “some of the most useful zero trust stuff that we’ve done over the last couple of years doesn’t have zero trust anywhere in their project documentation. But we made it much easier for software developers to inte- grate with the platforms that we use for authentication. We made an effort to go through and review information in our global directories to make sure they actually were correct. Those were huge boons to our maturity as a zero trust organization.”
The governmentwide commitment to zero trust is real, the group agreed. It comes up in virtually every dis- cussion by the CIO and CISO coun- cils, participants said, and there was optimism that the recent infusion of money into the Technology Mod- ernization Fund could be a catalyst. “Something that really drives hard has to be backed with the right resources,” one executive said. “There’s a big hope that the CISOs, the security folks and the CIOs are going to step up and say, ‘We want to make some big shifts in cybersecurity.’”
“We’ve got the people who are the early adopters moving forward,” anoth- er observed. The real question is: “How are we gaining the momentum for the masses?” n
Participants
Gerald Caron III
Acting Director of Enterprise Network Management, Bureau of Information Resource Management, Department of State
Alma Cole
Chief Information Security Officer, Customs and Border Protection
Sean Connelly
Trusted Internet Connections Program Manager and Senior Cybersecurity Architect, Cybersecurity and Infrastructure Security Agency
Larry Hale
Director, Strategic Solutions and Security Services, General Services Administration
Steven Hernandez
Director of Information Assurance Services and Chief Information Security Officer, Department of Education
La’Naia Jones
Deputy CIO, National Security Agency
Lisa Lorenzin
Director ofTransformation Strategy, Zscaler
Allison McCall
Acting CIO, NationalTechnical Information Service
Ranjeev Mittu
Branch Head, Information Management and Decision Architectures Branch, InformationTechnology Division, U.S. Naval Research Laboratory
Karim Said
Chief Information Security Officer, NASA
Drew Schnabel
Vice President, Federal, Zscaler
Steve Wallace
Systems Innovation Specialist, EmergingTechnologies Directorate, Defense Information Systems Agency
Note: FCW Editor-in-ChiefTroy K. Schneider and Staff Writer Justin Katz led the roundtable discussion.The April 9 gathering was underwritten by Zscaler, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither Zscaler nor any of the roundtable participants had input beyond their April 9 comments.
May 2021
FCW.COM 41