Cybersecurity seems simple enough. The old methodology went something along the lines of installing a strong IT network, training employees to identify and avoid risks, and locking down the most sensitive information in-house.
Recent years have proven that the old approach is no longer enough. The 2015 Office of Personal Management (OPM) data breach – in which user identity hacks allowed more than 20 million records to be leaked – signaled to the country that no data is safe, and that hacktivists and malicious actors actively try to infiltrate information systems.
“Our defenses have been focused on defend everything equally,” said Greg Touhill, the first Federal Chief Information Security Officer (CISO) and current President of Cyxtera Federal Group, said. “The perimeter is the person now.”
Panelists at Symantec’s Government Symposium spoke to the importance of a Zero Trust cybersecurity strategy and how agencies could go about adopting the protocol.
Although Zero Trust is a new strategy, it builds on existing layered security defenses, while creating consistent identity checks and authentication. Federal employees – more than others – regularly travel and use their mobile phones to conduct sensitive business. If a staffer signs in remotely, IT can’t tell whether it’s for a legitimate business purpose or if something more nefarious is underway, which is why the government is increasingly relying on verification.
“Hopefully we can leverage a lot of the work we’ve done in the past using other models, other architectures, other concepts to build a core of Zero Trust,” said Nick Marinos, Director of Cybersecurity and Data Protection in the Government Accountability Office (GAO). “Zero Trust absolutely is a strategy. It’s a mindset.”
Randy Vickers, CISO for the House of Representatives, said that government has had to adapt the “deny all, permit by exception” mantra to a remote, mobile environment. The first step is locking down identity through authentication and authorization.
“Identity becomes critical as well as initial authentication,” Vickers said. “Authentication really is an enterprise challenge. Your identity hub is centrally managed.
“Authorization is a whole other subject. It’s either system-driven, organization-driven or application-driven. So when you have that dichotomy, organizations are looking at the security folks to ensure that their data is secure. But we as security don’t know day in and day out, ‘Is that authorized?’”
A face-off between security and business leaders has created an unsteady balance between productivity and data safety. Vickers said that in watching over House of Representatives members, he has to manage the goals of 441 CEOs.
While cybersecurity is a priority, it’s far from the only one. Mobile access to networks has unlocked tremendous business potential and user experience, which organizations are understandably reluctant to shut down.
“It’s great for us to say, ‘OK, you have to do these 10 things or these 10 things are checked to get access to this,’ but at some point, what the user does is as important as the actions you’re taking,” Vickers said. “Because in essence, the business has to go on.”
With that in mind, agencies increasingly prioritize the security of onboarding and offboarding processes. The first steps to successful Zero Trust implementation, panelists said, were to understand your assets and lock down individuals’ identities.
“You need to know that that person is the right person,” said Thomas Michelli, Acting Deputy Chief Information Officer for Cybersecurity for the Defense Department (DoD). “When they push that button, the whole chain to when it hits the weapon system, you have the confidentiality, integrity and availability of the data to get from one point to another.”