Senior federal IT experts – including the current and former federal CISO and the Pentagon’s best IT officer – broadly agree that the necessary ingredients are available to begin implementing zero security concepts for government networks, and that the time for action is now.
Speaking on April 22 at the virtual event at the Billington CyberSecurity Defense Summit, Federal CISO Chris DeRusha, Acting Secretary of Defense (DoD) John Sherman and former Federal CISO Greg Touhill made strong arguments for taking the next steps. steps to improve the Federal Security Network.
A new streamlined framework for CISO negotiations
DeRusha, which became a Federal CISO in late January, explained that the concepts of zero-confidence security are “rooted in three basic principles – checking each user, validating each device and then, within that, restricting access to intelligence data “.
“This is obviously a departure from the previous model of trust, which suggested that if a user has a firewall, then you know they can be trusted, and obviously that doesn’t affect them,” he said. “So we have to move to this new model that assumes everyone and everything is unreliable until we prove otherwise.”
“The government has been working for this zero-confidence framework for some time, but seriously over the last few years,” DeRusha said. “Agencies are building really strong foundations around identity and credential management. We are also getting closer to performing DNS monitoring [and] dynamic control. “
Before rushing to zero confidence, DeRusha said some framework solutions needed to be considered.
“There are a lot of different frameworks in this space right now, and I think that would be one of the things we have to do, to simplify it a little bit. [to] we ensure that we do not have too many different types of frameworks for what we mean when we talk about zero trust, ”he said. “But when you really break it, a lot of that already exists.”
Another part of achieving a change in the big picture security models, he said, is a “changing mindset” that will require some commitment from different types of partners in the organization, [and] business country. “
“One could see this as potentially causing some challenges or disruptions in the way the workforce is currently doing business or accessing resources, and some may find it inconvenient,” DeRusha said. “So when that happens, we’re really going to need the business side of the house to understand why we’re making these changes and how good it is for the organization and also for them.”
“As always in this space, it will be a lot to manage our management outside the IT cone and we will need good communication with the business side of the house, or I think it will go slower than it could if we don’t do a good job. with that, ”he said.
Technical safety breaking point
DoD CEO John Sherman said the United States was “at one of those folding points right now” – similar to the determined use of radar in the battle for Britain in World War II or the use of machine guns in World War I – where the jump in technology proved decisive against opponents.
“Our current approaches to security” will not take us into the future, “he said. “We have to play a new play here, a new defense … [adversaries] reach the end zone too many times. “
He endorsed the basic concept of zero trust in microsegmentation of the network and pointed out that this is already a very widely discussed strategy. “Zero trust … that’s the word du jour,” Sherman said, adding, “you hear it on the radio.” Although the name of the security concept may shift over time, he said at the bottom, “it’s about paradigm shift of the victim ”and hindering the penetration of opponents into the networks.
It’s time to put on
Retired Air Force General Greg Tuhil, who was a federal CISO in 2016 and is now director of CERT at the Institute of Software Engineering, stressed that the concepts of zero confidence are several years old and that it is time for organizations to continue the process of performance. “The technology is already there,” he said, citing a software-defined network as an example.
“Zero trust is not a buzzword, it’s a business imperative,” Tuhil said. “If you don’t implement a zero-confidence strategy … you carry the cyber sign ‘kick me.'”
Zero trust, he stressed, “is not something you buy, but a strategy.” He continued, “Everyone smells of coffee with zero confidence, now it’s time to put it on.”
Part of the discussion on federal government adoption, he advises, is to focus first on the data that needs to be protected. He said that some of the federal community of CIOs “have a fixation on technology … We need CIOs to step back, see that 30,000 feet and focus on the data.”
Sherman, who put forward a strong argument for faster implementation of zero trust during the MeriTalk webinar earlier this year, echoed that mood at the Billington event and said the department should launch its own zero trust strategy later. this year. “At the moment, this is my number one priority,” he said.
Sherman said DoD already has many parts for its DoD 365 application, which embodies zero trust concepts, including endpoint protection and Comply to Connect. “We have a lot of pieces here … we have a long way to go,” he added. “We’re like a house with a few frames, a little plumbing, maybe a roof,” he said. “But we still have something to do to make a brick house.”
“This is one of the key points here,” Sherman said of security efforts. “If we understand correctly, this will make life difficult for our opponents in Beijing and Moscow.”
Comments are closed.