"Navigating the Federal Zero Trust Data Security Guide" panelists included, from left: Heidi Shey, Jason Snyder, Steven Hernandez, Anne Klieve, and Gouri Das. Brian T. Horowitz
The recent Forrester Security & Risk Summit in Baltimore featured government cybersecurity officials discussing a newly published guide on zero trust and evaluating the next steps for the security model.
In fact, Forrester is known for introducing the zero-trust security model back in 2009. The motto "never trust, always verify" suggests a least-privilege approach. Former Forrester analyst John Kindervag, now a chief evangelist at Illumio, was an initial champion of zero trust.
In a Dec. 10 panel, cybersecurity leaders discussed "Navigating the Federal Zero Trust Data Security Guide," which the federal CISO and CDO Councils published on Oct. 31. The guide, developed by 70 people from more than 30 federal agencies and departments, offers a breakdown of how government agencies and organizations should think about data risks. The goal is to provide a practical guide on how to implement zero trust.
During the session, Steven Hernandez, CISO in the US Department of Education and co-chair of the US federal CISO Council, discussed how the guide could teach federal and private cybersecurity professionals think from both a zero-trust and data perspective.
"It's interesting because we talk about how to harness data, so we use a lot of behavioral analytics and logs from our systems, etc.," Hernandez told the audience. "That's one side of the coin, but the other side of the coin is how we protect data using zero trust principles, technologies, and operations, and in the data management section, we're going to have to basically straddle both of those platforms to be successful. "
Related:Ransomware Attack on Rhode Island Highlights Risk to Government
Anne Klieve, management analyst in the Office of Enterprise Integration at the US Department of Veterans Affairs, agreed that a goal of the guide was to create a document that both the data and security communities could understand.
"It was about creating a guide that would be readable to both the cybersecurity and data communities, and specifically looking at how separate even the jargon was for both communities," Klieve said during the session.
Massachusetts CIO Jason Snyder said he appreciates how the guide can move federal agencies and organizations past understanding the architecture of zero trust and doing something with it. He also said Massachusetts was at "ground zero" as far as zero trust.
"One of the things I really liked about the guide was its primary focus is data, and when you talk about zero trust, I think that is the right area of focus," Snyder said during the panel. "So, what we're doing within Massachusetts is really driving forward from a data perspective and better understanding our data, better understanding different types of data we have, and then working on ways to protect that data."
Related:Cybercriminals and the SEC: What Companies Need to Know
Heidi Shey, principal analyst at Forrester and co-moderator of the panel, sees the guide as applicable to organizations beyond state and federal government. For example, the panelists plan to add a section on supply chain risk.
In an interview following the session, Shey told InformationWeek that the guide can help organizations no longer operate in silos as far as data and security.
"We're talking about really embedding data security controls throughout that entire life cycle and thinking about how we manage data and how we protect it in a much more holistic way, so that these two functions within organizations are not operating as siloed functions anymore the way they historically have been," Shey said. "I think that's one of the big takeaways from this guide that people can use to help bring these two groups together on zero-trust data security."
Klieve recommended that organizations use the guide to create a zero-trust data implementation road map based on general program management principles. This would include a maturity analysis and gap assessments. After that, organizations could implement their programs as they planned, including examining finances, examining risks, and managing performance. However, she noted that C-suite leaders such as the CISO and chief data officer would need to be consulted on how the budgets would be allocated.
Related:Does Desktop AI Come With a Side of Risk?
Chapter 4 of the guide has a placeholder for the topic "Manage the Data." Klieve would like to see this chapter filled with a discussion of alignment of data management to data security as well as how to use data management to minimize data breaches. In addition, the chapter should cover the interaction between data engines and machine learning as it relates to data security, according to Klieve. That includes preparing data for machine learning models.
"This will become a key document I just keep on my desk all the time," Klieve said. "I really want to see it kept up to date."
Hernandez said work on the Zero Trust Data Security Guide is in a holding pattern until late January, but then his team will brief the incoming administration on "the overall status of all things cybersecurity." He also said the CISO council could add a zero-trust section to the National Institute of Standards and Technology's Special Publication 800-60, which provides guidelines on how to map data to security systems.
Meanwhile, in another Dec. 10 panel, "Next-Level Your Zero Trust Initiative" panelists from the federal government as well as GE Aerospace addressed how government agencies and the private sector can move forward with zero trust.
Eric Poulin, senior director for cybersecurity technology strategy and management at GE Aerospace, told the audience that applying the same zero-trust initiatives to all teams would not work.
"You can design a master zero-trust plan, but at the end of the day, you just try to put one blanket zero-trust plan, you're going to end up alienating certain individual business lines," Poulin said.
At the Department of Interior, its zero-trust program manager, Lou Eichenbaum, has built a "zero-trust community of practice," over three years, he told the audience. The department respects the separate missions of areas such as the National Park Service, and they all have input into how the department approaches zero trust.
Brandy Sanchez, director of the Zero Trust Initiative at the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, stressed the importance of incorporating zero trust in all layers.
"It needs to be part of every decision and every organization," Sanchez said. "Any time you buy software, any time you're procuring something, any time that you're developing a system, all of that has to [incorporate] zero trust as the foundation."
The challenge going forward in zero trust will not necessarily be in technology but in people and processes and getting buy-in from leadership and making sure all teams are aligned, according to Carlos Rivera, the panel's moderator and a senior analyst at Forrester.
"It's not just an IT and security initiative; it's an organizational initiative," Rivera told InformationWeek following the session. "So getting those individuals involved, such as leads from HR, leads from finance, and getting a better understanding of what impacts them and what's important to them, and how do we enable their business and allow them to leverage certain technologies [but] not at the expense of security, that's really where the success will come."
Because there are multiple maturity models, Sanchez and her team are working with the Department of Defense on zero-trust guidance.
"Words are important, and when we say one thing and another agency is interpreting that in a different way, it causes confusion," Sanchez explained during the panel. "So anywhere that we can align, and that we can harmonize what we're doing, what others are doing, and get everyone on the same page across the federal government, that's where we want to head."
Rivera said organizations have now achieved maturity as far as zero-trust strategy and planning, and now they are moving to implement zero trust into their operations.
Sanchez sees the federal government providing more technical deep dives and how-tos around zero trust in the next year or two. Her team will be releasing publications on enterprise mobility and micro-segmentation. Going forward, Sanchez would like to see government agencies focus more on implementing zero-trust strategy based on their risk environment rather than just checking a box.