Federal agencies are emerging from a tough season of security vulnerabilities – SolarWinds and Log4j among them – knowing that bad actors are changing their game plans. At the same time, agencies are improving their cyber playbooks with zero trust guidance from the White House, the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and others.
Wayne Lloyd, Federal chief technology officer at RedSeal, likens the zero trust movement to the quest to become a Super Bowl-winning team. It’s about relentless improvement. MeriTalk sat down with Lloyd to discuss the current state of play as agencies work to meet the zero trust mandate and how industry organizations can help.
MeriTalk: What has changed in how Federal agencies approach zero trust and cloud security since before the pandemic, and since the president’s executive order on cybersecurity?
Lloyd: When the concept of zero trust was introduced in 2010 by John Kindervag at Forrester Research, it was largely just a concept. Pockets of cybersecurity professionals – CIOs, CISOs, and thought leaders – were saying, “This is probably something we should be doing,” but then, how do you go about doing it? Even with the current mandate, we’re seeing a lot of questions surrounding what zero trust is and how it can be implemented. Everyone is trying to get up to speed on what it is.
MeriTalk: Are you seeing some successes as agencies move toward zero trust and cloud security? What may be holding them back?
Lloyd: I see success in the acknowledgment that agencies are going to move forward with zero trust. People are putting a great deal of effort into trying to accomplish what is now required of them. One of the things making zero trust so enticing is the concept of the cloud, because capabilities that are required for zero trust, including microsegmentation and identity access management (IAM), are already built in. This makes zero trust much easier to accomplish in the cloud versus in agency on-premises data centers.
The problem is that a lot of things will never be able to go into the cloud. Think of a hospital – you can’t put an MRI or an infusion pump in the cloud, and those are all network connected today. The main issue holding government and industry back from implementing zero trust is the difficulty of implementing capabilities like IAM and microsegmentation on their still very necessary on-premises legacy networks.
Ultimately, agencies are going to implement zero trust, despite the challenges. They are going to need a combination of policies, culture shift, and technology to successfully implement zero trust on premises.
MeriTalk: It really will be a different way of working.
Lloyd: Exactly. At the heart of it, zero trust is the basic principle of least privilege, and implementing it is a culture shift for most people. For those with open networks who are accustomed to being able to freely share or access information, zero trust will be a different experience. It doesn’t mean you won’t be able to access things easily, just that you’ll only be able to access things you’re supposed to have access to.
From an implementation perspective, it really boils down to doing unglamorous things like getting an inventory of not just your equipment, but all your applications and everyone who has access to your organization’s network. And looking at business units and making sure that they can only access certain equipment and applications. In the process, you end up creating a whole group of people who are going to keep track of access permissions across the organization. There’s nothing glamorous about this. It is all just rigor.
MeriTalk: Not only are your end users working differently, but your IT shop is also working differently because they have different responsibilities.
Lloyd: Right. I think of the movie American Underdog, about Kurt Warner, the walk-on for the St. Louis Rams who later became the MVP of Super Bowl XXXIV. At the beginning of the movie, he talks about how millions of kids play football, and out of those millions, only a few thousand play college ball. Out of those thousands, only a few hundred plays for the NFL, and out of those hundreds, less than 1 percent make it to the Super Bowl – much less win it.
In the context of zero trust, most organizations are doing cybersecurity at a middle school football level. Middle school football players use the same fundamentals that NFL players use – NFL players are just much, much better at them. That’s what zero trust is – pushing people to get much better at what they already know they’re meant to be doing.
MeriTalk: OMB’s zero trust memo requires agencies to maintain a complete inventory of every device they operate and authorize for government use – and be able to prevent, detect, and respond to incidents on those devices. Just how big of a job is that?
Lloyd: It’s big. And I feel badly for anyone who needs to do it.
Our company surveyed CEOs three or four years ago, asking if their organizations knew everything connected to their network. Seventy percent of them said yes. But 100 percent of our RedSeal deployments found that was untrue.
RedSeal brings all network environments – public clouds, private clouds, and on-premises – into one comprehensive, dynamic visualization. We always, always find things that our customers are unaware of. We had a commercial customer who swore up and down that their company only had nine virtual private clouds (VPC). We connected to their infrastructure and found that they had more than 800. They didn’t take into account that any executive with a credit card can spin up a VPC.
MeriTalk: It’s like shadow IT to the nth degree.
Lloyd: Yes. That’s why agencies will need automation. Going to the financial department and asking to see everything the agency has purchased won’t work – a purchase can just show up as a line item on a credit card bill, not necessarily a license you submit and renew.
Then there’s the issue of multiple clouds – something many organizations push for as they don’t want vendor lock-in – but does your agency’s Azure team understand AWS? If not, your agency needs AWS experts. Does your AWS team understand Google Cloud? If not, you’ll need Google Cloud experts. Without that expertise, you can’t understand what you have. Kubernetes, pods, and containers add to the complexity. Not only do agencies need to identify the physical equipment and the people, but they also must identify the applications. And what if those applications are only there for five minutes?
This is a huge, monumental task, which is why it hasn’t been done. People talk about it the way they talk about world peace – it would be great, but it’s never been done because it’s so hard. But just because it’s hard doesn’t mean we shouldn’t try. That’s why OMB’s memorandum calls it “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” not THE zero trust architecture. They know it’s a journey.
That said, lots of technologies, including RedSeal, can certainly help with the process.
MeriTalk: OMB is also requiring agencies to segment their networks around individual applications. You’ve touched on how challenging that can be. Why is that so important, and what should agencies keep in mind as they’re trying to do this?
Lloyd: Segmentation is designed to prevent bad actors from moving laterally through the network, as well as keeping specific things from being able to speak to one another. Once you reach the level of a mid-size enterprise, that can be challenging to keep track of – much less a large enterprise. Agencies need to keep in mind that segmentation is too big for humans to keep track of on a regular basis.
They are going to want continuous monitoring that’s as close to real time as possible. They’re going to need automation that can ensure segmentation is constantly in place. Today, once authorizations to operate are granted, agencies will check on the controls once or twice a year to make sure they’re in place.
Now imagine I have something that could check those controls every week, or even every day. That’s certainly closer to real time than a year, and it frees up time for employees to devote to other critical tasks.
For example, we worked with a customer that needed to comply with specific Department of Defense standards that required network segmentation. They hired five contractors, thinking one of those contractors would determine if they were meeting those requirements once a week. After two years, they discovered that it was taking all five contractors every day to say, “We don’t know.”
They brought in RedSeal, we showed them what to do, set it up, and within three weeks they were able to identify whether they were compliant or not. That freed the entire five-person team to go and do what they were originally hired to do, but never could. That’s automation.
MeriTalk: Agencies are also required to have a complete understanding of all Internet-accessible assets. They have their own data, and CISA and GSA will provide agencies with data as well. What can agencies do to make sure they are tracking every asset accurately and reliably?
Lloyd: CISA will be scanning agencies’ Internet presence to identify if anything is exposed and providing that information to the agencies so they can take action. That’s excellent. The challenge is getting full coverage. It’s great to look from the outside in, but agencies will need to look from the inside out as well. They’ll need something that can sit inside their networks and tell them all the available access paths into, out of, and across their networks.
Imagine walking around a house and seeing that an upstairs window is open. It’s hard to access – maybe that’s why the window is open. Nobody’s worried about it. But only looking from the outside in means agencies will get a report that says, “There’s an opening in your perimeter,” and rush to resolve an issue that may not be a big deal – all while they have a backdoor that’s closed but unlocked. Which vulnerability is more dangerous? That’s what the inside-out view will tell them.
MeriTalk: Tell us more about your process when working alongside Federal agencies to achieve zero trust and cloud security. Then, do you have any final words of advice for agencies on the zero trust journey?
Lloyd: Zero trust has surfaced in every meeting we’ve had with Federal agencies since the OMB memorandum came out. They’re asking all the right questions: “What should we be thinking about?” “What should we be doing?” Right now, we’re acting as consultative counsel to help agencies understand zero trust.
No technology is a silver bullet, and much of the journey toward zero trust is about people and processes, not technology. It comes down to understanding that this is all about least privilege and helping agencies move toward NFL-level cybersecurity. RedSeal can help from a network, inventory, and exposure perspective.
When thinking about the technology, my advice is to make integration a priority. Some large vendors will try to sell you lots of tools, but many times, the tools came through acquisitions and the vendor never got around to integrating them tightly together. Integration is essential for a holistic view of your network and everything connected to it, and to speed remediation of vulnerabilities.