Smart talk plans

With initial plans submitted, federal agencies begin journey to zero trust

Take stock of current cybersecurity tools to see what will work

“There are a lot of existing things in your portfolio that you can take and apply to zero trust, but not today,” said Michael Epley, chief architect and public sector security strategist at Red Hat North America. .

That’s likely because of a second challenge, he said: understanding how to use and deploy zero trust.

“Zero trust is basically how you make access control decisions,” he said. “And how you make those decisions is a business decision. Most organizations don’t know how they make these existing decisions today, or it’s in someone’s head in IT. Zero trust says it’s not good enough anymore.

The Office of the Inspector General of the Department of Health and Human Services communicated the message behind zero trust – that it enables enhanced cybersecurity – to employees to help them buy into the idea.

“We’re big on zero trust. We’ve really worked with our customers, trying to help them understand it, trying to reduce their fear,” said CTO Nicole Willis. “It was a culture change.”

At the State Department, IT officials are taking stock of existing cybersecurity tools to see what elements can be integrated into a new zero-trust environment that will be posted around the world.

“Because we’re so dispersed, zero trust is a good thing. In many countries, we don’t trust the networks we work on,” said Landon Van Dyke, CTO of the Office of Management, Strategy and solutions from the State Department “It actually allows us to harden some activities that we wouldn’t have been able to do otherwise, under a traditional architecture.”

Among the tools the department is looking at are SD-WAN “and how we’re integrating that into a new architecture,” Van Dyke said, “as well as different kinds of security measures that we’ve kept as security blankets. “.

VIDEO: Learn how the Department of State is using smart building technology to make embassies more efficient.

IT experts must point out the danger of not embracing zero trust

Having a solid plan, like the ones delivered to OMB in March, is key to a trustless deployment, Sanders said.

“We all start the zero trust journey from different points,” he said. “A lot of them have a second factor, at least, as part of their authentication process, and some don’t. You need to understand where you are before you can start a journey.

“You won’t have all the money you need to go through with it. There is no end, there is no finish line. It’s just steady progress.

But without acceptance from government users — zero trust’s most important customers — even taking the first steps will be difficult, Sanders said.

“We have a responsibility on the security side of the house to communicate risk more effectively than we have done in the past,” he said. “That’s why we make the business decisions we make, because we don’t do a good enough job of explaining to business leaders why they should care more than they do.”

LEARN MORE: FedTech can guide you down the path to zero trust.