Zero Trust requires a cultural shift
For decades, computer users have logged into their machines and networks with a password to access their applications and data. The use of single sign on to authenticate users has enshrined the thinking that perimeter security was adequate.
Cyberattacks in recent years have shown that enterprises need more in-depth security, and for many CIOs and CISOs that means a Zero Trust Architecture. While Implementation of the framework and technology can be straightforward, the bigger challenge remains users who must embrace it.
“This will be a cultural shift for everyone because there will be a shift in how users validate their need for access to certain areas of the network,” explained Kynan Carver Cybersecurity Lead for the Defense Market with Maximus. During a recent panel discussion “How To Create A Comprehensive Zero Trust Strategy” at 930Gov, Carver stated that “IT users will have to become used to validating their need for access as opposed to open access all the time.”
Carver compared Zero Trust Architecture to a large ship that has many watertight compartments that prevent the ship from sinking if one of them takes on water. Sailors are accustomed to securing the doors and related emergency procedures. Similarly, hackers may get into one part of the network, but with a Zero Trust Architecture, they cannot get into other databases or applications without proper authentication.
“Cultural adoption is key,” states Carver.
Carver and the other panelists agreed that no two federal agencies are at the same level of maturity with Zero Trust Architecture. The panel members at the 930Gov session referenced the March 2021 federal executive order EO 14028, “Improving the nation’s cybersecurity” that implied an “assumption of greater maturity” than actually exists when it comes to Zero Trust Architecture in most agencies.
The other panel members with Carver were:
- Monica Montgomery, Deputy Chief Information Security Officer for Management and Strategy and Deputy Director, Cybersecurity Office, National Geospatial-Intelligence Agency (NGA)
- Randy Resnick, Director, Zero Trust Portfolio Management Office, DoD
- Andrea Simpson, Chief Information Security Officer / CIO, FCC
As a starting point for implementing Zero Trust, panelists advised knowing the agency’s mission and goals but also having a detailed understanding of the current agency infrastructure. With that in mind, it becomes clearer to see the path to Zero Trust and its five pillars of identity, devices, network, applications and data. Says Carver, “This approach will establish the right cyber posture with proactive responses to threats rather than reacting to them.”
But it’s the cultural adoption of new user and identity validation process that will be key, he counsels, and is as important as the technology. For example, users will need to be educated on what to expect from the new approach and how there would be any impact to their tasks. Likewise, there needs to be buy-in across an agency about the goals of Zero Trust, how it’s implemented, and the key steps needed to make it a success.
“Zero Trust will have an impact on the entire U.S. government by implementing cybersecurity in a whole new way, one where a user’s identity must be verified each and every time they need specific system access,” said Carver, who added this is a new approach that will change how agencies view cybersecurity.
“Moving forward, it will become part of what every agency does to protect their data and sensitive information.”