Bryan Rosensteel has spent more than a decade working with identity in the Federal government. As a Federal solutions architect at identity services provider Ping Identity, he advises government agencies on best practices for deploying zero trust security architecture. When President Biden issued the Executive Order on Improving the Nation’s Cybersecurity (EO), Rosensteel was positively giddy about its potential to transform the way government secures data and operations. MeriTalk sat down with Rosensteel to explore the letter and the spirit of the EO, how centralized identity, credential, and access management (ICAM) can help agencies get to zero trust, and why agencies shouldn’t inherently trust anything – not even technology.
MeriTalk: The cybersecurity EO establishes substantial requirements for agencies – among them, to accelerate the move to secure cloud services and to implement zero trust security architecture. What do you see as the “low-hanging fruit” in the EO?
Bryan Rosensteel: One low-hanging fruit is multifactor authentication (MFA), implemented everywhere in government. The good news is that Federal agencies already have roughly two decades of investment, if not more, in multifactor authenticators. And today, a suite of tools enables agencies to connect public key authenticators, common access cards, and other smart cards to almost every type of application, so agencies should be able to fill gaps in their authentication fairly easily.
MeriTalk: What can agencies do to ensure a smooth enterprise-wide MFA implementation, especially when they are modernizing legacy environments?
Rosensteel: The name of the game is coexistence. New technologies should be able to coexist with legacy technology so that the transition to new technology is as seamless for the end user as possible.
For example, a transparent, smooth implementation of MFA would have users going to the landing page where they usually log in, and they get redirected on the back end to the modern technology. Agencies transition one application at a time, until they have accounted for all user populations and applications and everything’s running on the new technology. Then they can turn off the legacy technology, and users were never aware of the switch.
MeriTalk: What are the biggest challenges agencies will face as they work to meet the letter and the spirit of the executive order?
Rosensteel: The EO says agencies need to understand and classify the sensitivity of all data in the organization’s control, which is incredibly important, but it’s a massive undertaking. That will probably be one of the largest challenges.
I’m glad it is in the EO, because as agencies start identifying their data by sensitivity, they have a blueprint for establishing modern, attribute-based access controls (ABAC) that are appropriate for the level of sensitivity of the data.
MeriTalk: Why are traditional approaches to authentication inadequate in the move toward zero trust?
Rosensteel: Identity silos are the first thing that comes to mind. By the way, they are almost an inevitable result of any mature enterprise. In the traditional approach, an agency builds an application for a specific purpose, and it has its own user store, which may or may not work within its broader identity landscape. The focus is on the immediate mission.
That’s how situations arise like the Colonial Pipeline attack. Colonial Pipeline had an administrative account on a legacy VPN that had not been used for some time, and yet it was still active. There were other problems as well, but that account was still active because of the traditional, fragmented approach. Zero trust enables centralized user stores and policy enforcement, and it enables ABAC. ABAC moves beyond traditional, coarse-grained authentication – username and password, physical possession of a smart card, and access to a private key – to dynamic authentication that takes physical and logical access into account. It sounds impossible on paper, but it’s not when we have master user records.
MeriTalk: How much is the cybersecurity executive order going to help solve the problem of identity silos?
Rosensteel: If an agency can identify all of the data in their environment, along with the sensitivity of that data, it is going to be able to identify identity silos. The logical assumption is that the agency will break those silos. The agency can also understand the attributes that allow specific users to gain access to specific data. I get giddy about this: It’s a framework by which we can get to where we want to be: least privileged access. It’s where we are not over-provisioning accounts. If people follow the EO as it’s written right now, they have the blueprints for implementing very strong zero trust architecture based upon technology that exists today.
MeriTalk: How can agencies use identity technologies to support their ability to detect and respond to cyber threats, as required by the EO?
Rosensteel: With zero trust, everything needs to prove itself. That means we need to build technologies into our workflows that look at what is happening during and after authentication.
For example, we need to be able to see what’s happening during federated single sign-on (SSO). We want to trust our SSO, but that trust comes from constant, reliable transparency. We need to monitor the tokens being issued during a session. Are more attributes being put into a token than normal? Is least privileged access being granted, and if not, why? If agencies are not asking those questions, they are creating an area of blind trust that goes against the notion of zero trust.
MeriTalk: And artificial intelligence and machine learning can help identify anomalies during authentication in near-real time.
Rosensteel: That’s right. If an authentication event behaves one way every day, and users who log in are given the same permissions or attributes within the token session, but suddenly that authentication looks different, why? Machine learning can identify anomalies within nanoseconds – far faster than humans. Part of the process is monitoring, and part of it is remediation.
MeriTalk: The EO directed agencies to update their plans in order to prioritize resources for adoption and use of cloud technology. Thinking about ICAM specifically, what should those plans include?
Rosensteel: Agencies are going to want to think about dynamic deployment and management strategies – for example, containerization, automation, and DevOps shops that build identity workflows into the creation and management of applications. Identity and access management should be built in, not bolted on.
MeriTalk: What should agencies look for when they’re evaluating technologies that can help them move to cloud services faster or implement zero trust architecture?
Rosensteel: The most important criteria is open standards. We need interoperability across the board. We can’t continue to build custom solutions that can’t interact with other applications.
This also means we should incorporate existing ICAM solutions. The Federal government has two decades of investment in some of the best ICAM technologies. Let’s leverage those! We shouldn’t be telling users that we’re standing up a new solution and we have to do yet another enrollment. No one wants that, and we don’t have to do that.
MeriTalk: What’s often overlooked in the transition to zero trust?
Rosensteel: As much as I’d love to talk about technology, a bigger gap is almost always overlooked – the people themselves and the culture. I’m going to pick on myself a bit. Early in my career, I often quoted one of the prominent directors in the Federal government: “Security is often inconvenient – too bad.” I loved that quote, but as I matured in my career, I realized it was painfully wrong. It was the exact opposite of the way we need to approach security, because if we make it painful, people are going to find clever ways to circumvent it.
Agencies need to pay as much attention to their culture, people, and security mindset as they do to the technology itself. If people are not using security tools correctly, they might as well not be using them at all. Some guidance has addressed this lightly, but we really haven’t seen enough attention on people and culture.
MeriTalk: How is Ping Identity especially well-suited to help agencies fulfill the requirements of the EO?
Rosensteel: Ping Identity has been involved in the development of many open standards, either from the beginning or from very early on. Our components are built around open standards and play well together. And we understand that it’s not just about single sign-on – it’s about providing a holistic solution that includes threat detection built into workflows. We provide tools to aid that development as well.
Most importantly, we understand that it’s not just about Ping. We bring our identity technologies and other tools into a cohesive ICAM solution that can be deployed in any environment – on premises, cloud, hybrid, even air-gapped data centers.
Boiled down, Ping Identity helps centralize policy enforcement in diverse, mature enterprise environments. We understand that agency network components, identity components, and data components all need to work together in order to provide better visibility into the agency’s security posture. That’s one of the reasons why we ensured Ping was a part of the Continuous Diagnostics and Mitigation program.
MeriTalk: What’s your bottom-line assessment of the EO?
Rosensteel: Ultimately, I’m incredibly excited by the EO. It’s what we need. While agencies were already addressing some of the requirements it lays out, the EO is important because it provides a solid baseline for improved cybersecurity across the Federal government. The only other thing I’d like to see is a strong enforcement mechanism. The EO is only going to be as good as the enforcement of it, but I’m optimistic and excited to see where it leads. For more information on how to meet the requirements of the EO, check out our blog post.