Boosting the use of cloud services may be the answer to expanding implementation of zero-trust models of cybersecurity across Federal agencies and departments, Education Department CISO Steven Hernandez said at an ACT-IAC meeting today.
The zero-trust model takes an architectural approach to cybersecurity by providing a consistent security strategy of users accessing data that resides anywhere, and creates a default standard of maintaining strict control access and never trusting any individual, even those within the network’s perimeter.
Although the benefits of zero trust are evident – better security, reduced breach impact, improved compliance and visibility, and potentially lower costs – Hernandez said that the uneven and diverse state of IT “maturity” across the government makes it difficult to create a zero-trust cybersecurity foundation on a Federal-wide level.
“Across the Federal landscape we have a huge variance and maturity amongst our agencies and departments,” Hernandez said. “Some departments are well in advance, leveraging many of the components we see in a zero-trust model. Others are struggling just to keep the network up and running.”
Other obstacles, he said, include difficulty in determining whether agencies and departments are providing shared services, how they’ll procure zero-trust solutions, and how they can implement compliance oversight.
But, Hernandez said, cloud providers are helping Federal agencies overcome barriers to adopting zero-trust models by already having them woven into cloud-based infrastructures.
“We look at our cloud providers,” Hernandez said. “They have a lot of great capability in this space already, especially when we’re talking about software-defined perimeters, the ability to orchestrate quickly in response to events. … This is kneaded into the very fabric of who they are, how they operate, so for us one of our major opportunities is understanding how we now leverage these fabrics and these cloud primitives that are just folded in to start moving toward some of these zero trust positions.”
Jeff Flick, National Oceanic and Atmospheric Administration (NOAA) enterprise network program director, added that with NOAA’s mobile and geographically dispersed workforce, moving services to the cloud has helped make data accessible to agency employees, but in a protected manner.
“As we’re looking to move things to the cloud … there’s a lot of things that we’re going to take advantage of there,” Flick said. “We’ve got a large cloud presence now. We’ve got exabytes of data within the agency when the public wants access to them. How do you get it out there in a protected way,” he asked.