Implementing a zero trust architecture is a must for all Federal agencies, but how that architecture is implemented relies heavily on the operational and business needs of an individual agency.
At the Department of Homeland Security (DHS), implementing any sort of zero trust framework means adding security measures not just around the outside of a network, but on the data and user access as well, a senior DHS official said on August 15 at an event organized by Nextgov/FCW.
Kenneth Bible, the chief information security officer (CISO) at DHS, explained that for a long time Federal agencies sought to protect networks with investments in what many cyber experts refer to as the “castle and moat” security framework.
“We saw it as our job to identify, protect, detect, and react to network intrusions, building bigger and higher walls around their information governance,” he said. That mindset “put our focus on the outside of our networks, while within our networks, users had free and clear access to discover, connect, and use most of our resources.”
“While we assumed that our job was mainly to keep the bad guys out of the network, our network-centric defenses have not been able to keep up with the pace of the threats,” Bible added.
At DHS, the agency is continuing to invest in exterior security for its network while simultaneously adopting a data-centric approach where identity security measures are critical, and work to grant information access to a user on a per-session basis. The agency connects identity and user behavior with device and network security.
“We’re looking at behaviors and comparing them to known attack vectors and known patterns of regular behavior and stopping what seems suspicious even when our traditional static firewall rules would not happen,” the CISO said.
According to Bible, identity is increasingly a target of choice for bad actors. Therefore, DHS strives to “lock down more networks and systems by identity,” by zeroing in on making user credentials more secure and harder to steal.
However, implementing any sort of zero trust security measure – including identity security – should not mean moving away from providing an excellent customer experience. In cybersecurity discussions, a frequent question is how security measures impact customer experience.
“As an agency, we need to manage and balance customer experience with privacy, security, and identity security,” Bible said.