FCW Perspectives
Why zero trust is having a moment
Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security
Just a few years ago, zero trust security for federal systems was wishful thinking. The benefits were obvious, but actual implementation seemed inconceivable. Today, forward-leaning agencies are actively incorporating zero trust into their security models, and Federal Chief Information Security Officer Chris DeRusha has said the White House will push all federal agencies toward a "zero trust paradigm."
FCW recently gathered a group of IT leaders to explore why this long-discussed concept is now getting traction and how they are approaching what is still a somewhat daunting transformation. The discussion was on the record but not for individual attribution (see sidebar for the list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.
Old ideas but new capabilities
When asked for a baseline definition of zero trust, participants described the concept as "context-based least-privileged access" or "ICAM done right," referring to identity, credential and access management.
One security executive said, "I don't know why we can't just defer to the [National Institute of Standards and Technology's] Special Publication 800-207definition, which says right upfront that zero trust is all about moving away from static network-based controls on access to things and focusing instead on people, their devices and the resources they're trying to access. So it's a break from traditional thinking. We have to be a bit more flexible in the way we manage access to data and to the systems that manage that data."
Participants
Gerald Caron III
Acting Director of Enterprise Network Management, Bureau of Information Resource Management, Department of State
Alma Cole
Chief Information Security Officer, Customs and Border Protection
Sean Connelly
Trusted Internet Connections Program Manager and Senior Cybersecurity Architect, Cybersecurity and Infrastructure Security Agency
Larry Hale
Director, Strategic Solutions and Security Services, General Services Administration
Steven Hernandez
Director of Information Assurance Services and Chief Information Security Officer, Department of Education
La'Naia Jones
Deputy CIO, National Security Agency
Lisa Lorenzin
Director of Transformation Strategy, Zscaler
Allison McCall
Acting CIO, National Technical Information Service
Ranjeev Mittu
Branch Head, Information Management and Decision Architectures Branch, Information Technology Division, U.S. Naval Research Laboratory
Karim Said
Chief Information Security Officer, NASA
Drew Schnabel
Vice President, Federal, Zscaler
Steve Wallace
Systems Innovation Specialist, Emerging Technologies Directorate, Defense Information Systems Agency
Note: FCW Editor-in-Chief Troy K. Schneider and Staff Writer Justin Katz led the roundtable discussion. The April 9 gathering was underwritten by Zscaler, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither Zscaler nor any of the roundtable participants had input beyond their April 9 comments.
Another criticized the zero trust label itself, arguing that "it focuses us in the wrong place. We have to figure out what we can trust. And it's not just the people, it's not just the user, it's the entire context for the entire communications."
Part of the confusion about zero trust stems from the fact that it incorporates security concepts that have been around for a long time. "This is not some brand-new thing that has come out of the ether," one participant said. "Years ago, we talked about attribute-based access control."
The group agreed that the difference today is that zero trust looks beyond users to manage access control and aims for constant monitoring and a dynamic, data-driven response that would have seemed unworkable just a few years ago. "It's really about the technology and capabilities we have at our disposal now that we just didn't have before," one official said. "We have AI and machine learning available as a service in the cloud. When we think about zero trust, these have existed probably since the dawn of time, but how the technology has shifted and how we're able to leverage that technology are the real big drivers here."
Embracing those new capabilities, however, requires changes to the IT infrastructure and especially to the data agencies must capture and integrate. As one participant said, "It's important to highlight that because folks can say, 'We've been doing this for a long time. You just put a different label on it.' No, this is different because we're driving toward a future architecture that is better optimized for all the new capabilities that have been developed."
It's not just networking
Government's interest in zero trust originally focused on computer networking. Yet when the federal CIO Council asked ACT-IAC to explore the applicability of zero trust security in 2018, "it became apparent almost at light speed that it's bigger than the network," one official recalled. "We're talking about zero trust architectures, not just zero trust networking. Networking is a very critical subset of the discussion, but it's really about that architecture."
To illustrate that broader scope, consider the variables that can feed into a dynamic risk assessment, another official said. "I used a PIV card versus a username and password. There's a different risk to those things. Did I come in on a mobile device? Is it a managed mobile device? Am I coming from a known network?" The data being accessed can also be an important indicator and so can the individual user's overall performance or job status. "It's got to be ongoing authentication. You've got to keep checking."