The enactment of zero trust cybersecurity policy — wherein, essentially, users are required to provide credentials at every new access point in a digital architecture — is an immense undertaking that comes with its share of long-term benefits. (The concept was ordered by the Biden Administration via Executive Order in May 2021 and its rollout for military components was clarified by the Department of Defense’s official Zero Trust Strategy in November 2022.) It’s a tough thing for an organization to wrap its head around but if fully committed, doing so will very likely make things easier in the long run.
These were the general sentiments underlying a panel discussion between cloud and cybersecurity experts at ExecutiveBiz’s virtual Cloud Security Forum on March 22, moderated by Bob Schumm, vice president of national security at Oracle Cloud.
If you missed the event, you can still register and watch in its entirety here. In addition to the panel, the proceedings feature a keynote address by acting DOD Principal Deputy Chief Information Officer David McKeown.
Panelist Steve Pitcher, a senior cyber survivability analyst at Joint Staff J6, remarked how siloed and “fragmented” some DOD Issuances or DODIs are, pointing to zero trust as a way to simplify and adopt a unified response across the department’s arms and entities.
“We’ve got over 40 DODIs that were updated with cyber equities in 2019 to 2021 with very little real coordination across all of those stove pipes. Right now, we have an opportunity with zero trust to try and get this formally coordinated, make sure that we’re getting the best business practices across all of the services integrated into this,” Pitcher commented.
He went on to suggest that overwhelmed program managers, besieged by the requirements of DODI guidance, might benefit from the standardization of zero trust.
Grant Dasher, architecture branch chief for the Office of the Technical Director at the Cybersecurity and Infrastructure Security Agency, gave insight into the unique opportunities he sees zero trust as providing for CISA.
As a fairly young organization, CISA, he feels, can use zero trust implementation as a chance to “lean into embracing cloud, embracing modern identity, try[ing to] create a more secure foundation in terms of those foundational services and components that we can build on as our mission grows and expands into the future.”
While the zero trust mandate initially presents a “shockingly large” list of demands, according to Shane Barney, chief information security officer of U.S. Citizenship and Immigration Services, it allows USCIS to focus on crucial issues like requesting identity, gauging who is present on a network and their authorization level, across devices, services and application programming interfaces. Barney also said zero trust promotes an attention toward secrets management and certificate automation.
That being said, the USCIS CISO was sure to note the significant financial and data burdens that zero trust imposes. Prior to embarking on its “cloud journey,” he said USCIS was processing maybe a half of a terabyte of log data daily, but as its cloud footprint has increased, its log got exponentially higher to a current rate of about eight terabytes per day. By the time more zero trust strictures are put in place in a year’s time, he estimates the agency will be handling somewhere near 20 terabytes per day.
Based on these not inconsiderable aspects that need attending, Barney identifies zero trust adoption as an unending process.
“Zero trust is not a ‘one and done.’ It’s a journey. It’s going to be something that we’re going to be doing, not just today and tomorrow. It’s going to be something we’ll be doing forever,” Barney stated.
Colonel Michael Smith, director of the Army Functional Management Office for Zero Trust at the U.S. Army Cyber Command, agreed, describing zero trust as having “no end state. It’s a journey that we are all on together.”
Smith framed zero trust implementation as a hugely collaborative process that brings in partners throughout the government, as well as from academia and commercial industry. He mentioned how the Joint Warfighting Cloud Capability contract, which harnesses the resources of Microsoft, Amazon Web Services, Google and Oracle is “really accelerating our ability to achieve our ZT directives.”
Closing, Smith brought into focus the ultimate goal of zero trust: to better protect digital assets against “a very determined adversary.”
“The partnerships that we create…are just so important for all of us to learn faster together to defeat that enemy,” Smith resolved.
If your curiosity about cybersecurity in the federal government space has not been satiated, we encourage you to register and follow along with the Potomac Officers Club’s upcoming Enhancing Cybersecurity for Critical Civilian Infrastructure Forum on March 30.