Speaking during a FedInsider discussion March 23, Virginia CISO Mike Watson said that adopting zero trust could resolve many of the security concerns that have emerged as governments adopt more cloud services and rely on remote workforces.
“The framework, that is the answer to a lot of our security problems,” he said. “It’s not the panacea, there’s always a few things that won’t work, but I’m optimistic that that is how we end up protecting most of our data in the future.”
Traditional cybersecurity approaches envision strongly defending the perimeter around a government network. This is no longer enough to keep agencies and their assets safe now that data and users are spread across a variety of networks, many outside of agencies’ abilities to control and secure. That includes the clouds in which third-party services run as well as the various shared personal home networks or even public cafe Wi-Fi’s through which offsite employees might connect, Watson said.
A zero-trust approach abandons the idea of a secure perimeter and instead assumes that any person or device could be compromised. As such, zero-trust adherents need to rigorously authenticate all devices and users before granting them access to network services or data, as well as verify that users have all the necessary authorizations. The goal is to prevent bad actors who penetrate one part of a network from being able to expand to the rest of the enterprise and minimize the amount of damage they could wreak.
Organizations following zero-trust approaches authenticate a user every time they want to access a service, which can be a complicated task given the many techniques for faking identities in a digital space.
“It’s required us to come up with some very creative, structured mechanisms to say, ‘Look, I’m establishing trust based on an identity and then I’m taking that identity and trust and tying it to every transaction that I’m making,’” Watson said.
Users also should only be given the minimum amount of access needed to complete their tasks.
“If you only need Google, you’re only getting to Google,” Watson said. “If you only need to go to a news site — U.S. News and World Report — then that’s the only place you end up going.”
Converting to a zero-trust approach is a gradual process — but one likely to be worth the effort, Watson said.
INSIDER THREATS
Along with reducing the impact of external attackers, a zero-trust philosophy could help defend against internal ones, such as disgruntled former employees who might abuse any lingering account accesses, said Tim Roemer, Arizona CISO and director of the state’s department of Homeland Security.
Agencies that are carefully managing access controls would promptly disable accounts once they’re no longer needed, Roemer said.
For example, Roemer was already CISO when the state also appointed him director of its Homeland Security Department. The new responsibilities saw him shift into a different state department — with an email address changed to reflect this. Overnight, an automated tool triggered to lock him out of the email for his now-former department.
“Our IT team … said, ‘Oh, you had an automated ‘no longer employed here’ — we got rid of all of your access,’” Roemer recalled. “I was absolutely thrilled.”
GETTING ADOPTION
Implementing a zero-trust strategy doesn’t just mean identifying new approaches and the policies and tools to help achieve them. It also means making sure that all agencies get on board.
“One of the biggest challenges in government, though, is just making sure that you get all of your state agencies to adopt those tools. To download them, to use them, to configure them properly,” Roemer said.
Agencies can be wary of any changes. If IT departments can convince one other organization to use new tools, however, its experience can be shown off to doubting agencies as evidence of the improvements to be gained. And it’s essential that another agency — not IT — be the one demonstrating the value.
“You can’t do it from your own department, because they don’t trust you as much,” Roemer said.
Still, cajoling only goes so far and Roemer said IT agencies may need to resort to more forceful measures. That includes asking the governor’s office to compel agencies to use the tools purchased for them.
PRIVACY
States like Virginia are also striving to strike a balance between making use of the data they collect to give residents more convenient and relevant services and protecting the privacy of their data. One of the complexities is that there is a lot of disagreement over what kind of data should be private, Watson said.
Most people agree that sensitive personal details like social security numbers, personal identifiable information (PII) and health-care information are private. But information about the kinds of services an individual uses, the types of software or devices they use when accessing web portals and other details can also be revealing when compiled together into personal profiles, Watson said.
Questions linger over what information can be shared and whether it’s appropriate to proactively present site visitors with targeted services or information, for example. Disagreement among residents — and among states — about where to set the bar for privacy leaves officials without clear answers at times.
“Knowing whether it’s okay to do something like look up your driver’s license information from another agency within a state is a question that there’s not really a great answer for,” Watson said. “Some places are okay with it, some states are okay with it, some aren’t. And it makes it really hard to figure out where that line is.”
Agencies that hammer out their privacy philosophies also need to be vigilant about ensuring any third parties they work with — and any of those partners’ subcontractors or sub-vendors — uphold the same privacy standards as the government, he added.
