Security, in the past, was built on fixed physical networks that allowed access to trusted individuals and kept untrusted individuals out. But, as Federal agencies transform their digital environments and increase remote work security measures had to evolve, making zero trust architectures the new norm and identity the new perimeter.
During a virtual event hosted by GovCIO, Federal Cyber experts explained that in a zero trust architecture identity is the boundaries, it is no longer the network.
Eric Mill, senior advisor on Technology and Cybersecurity to the Federal Chief Information Officer (CIO) at the Office of Management and Budget (OMB), emphasized that on the heels of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, Federal agencies are working toward implementing a zero trust architecture. To help agencies achieve this, OMB published a zero trust mandate. The first pillar of the mandate is identity.
“Identity huge part of OMB mandate. It is the first pillar of the plan because it is the foundation on which a zero-trust infrastructure stands upon,” Hill said. Specifically, the mandate states that agency staff must use enterprise-managed identities to access the applications they use in their work.
To meet this vision the mandate directs agencies to:
- Employ centralized identity management systems for agency users that can be integrated into applications and common platforms;
- Use strong Multi-Factor Authentication (MFA) throughout their enterprise; and
- When authorizing users to access resources, agencies must consider at least one device level signal alongside identity information about the authenticated user.
Additionally, as Federal agencies continue to improve cybersecurity measures under the President’s cyber executive order, cyber leaders must balance security and privacy concerns when rolling out identity management strategies.
Scott Davis, the acting chief information security officer for U.S. Customs and Border Protection (CBP), explained that at the CBP a key tactic in ensuring a balance between security and privacy is knowledge.
“We at the CBP receive annual training to understand not just the data that we are protecting but the privacy standards that we must uphold when protecting that data and providing access to people who need it,” Davis said.
Gerald Caron, CIO for the Office of the Inspector General at the Department of Health and Human Services, emphasized that identity management solutions are increasingly critical for Federal agencies as they move IT operations to cloud environments.
To implement identity management solutions properly agencies must understand their workforce, according to Caron. In other words, understand who needs what information or access to applications and when they need it.
“Identity in zero trust is about giving the right people the right information at the right time,” said Caron.
Additionally, Caron explained that open communication between the IT team and the rest of the enterprise is critical to successfully implementing identity management solutions. Part of his strategy for implementing these solutions was incorporating the entire workforce ensuring they understand zero trust and identity management is not just an IT thing but an agency-wide effort.