WWW.INFORMATIONWEEK.COM
Forrester Panel: Government Cybersecurity Leaders Discuss Next Steps for Zero Trust
The recent Forrester Security & Risk Summit in Baltimore featured government cybersecurity officials discussing a newly published guide on zero trust and evaluating the next steps for the security model.In fact, Forrester is known for introducing the zero-trust security model back in 2009. The motto never trust, always verify suggests a least-privilege approach. Former Forrester analyst John Kindervag, now a chief evangelist at Illumio, was an initial champion of zero trust.In a Dec. 10 panel, cybersecurity leaders discussed Navigating the Federal Zero Trust Data Security Guide, which the federal CISO and CDO Councils published on Oct. 31. The guide, developed by 70 people from more than 30 federal agencies and departments, offers a breakdown of how government agencies and organizations should think about data risks. The goal is to provide a practical guide on how to implement zero trust.A Holistic View of Data and SecurityDuring the session, Steven Hernandez, CISO in the US Department of Education and co-chair of the US federal CISO Council, discussed how the guide could teach federal and private cybersecurity professionals think from both a zero-trust and data perspective.Its interesting because we talk about how to harness data, so we use a lot of behavioral analytics and logs from our systems, etc., Hernandez told the audience. Thats one side of the coin, but the other side of the coin is how we protect data using zero trust principles, technologies, and operations, and in the data management section, we're going to have to basically straddle both of those platforms to be successful. Related:Anne Klieve, management analyst in the Office of Enterprise Integration at the US Department of Veterans Affairs, agreed that a goal of the guide was to create a document that both the data and security communities could understand.It was about creating a guide that would be readable to both the cybersecurity and data communities, and specifically looking at how separate even the jargon was for both communities, Klieve said during the session.Massachusetts CIO Jason Snyder said he appreciates how the guide can move federal agencies and organizations past understanding the architecture of zero trust and doing something with it. He also said Massachusetts was at ground zero as far as zero trust.One of the things I really liked about the guide was its primary focus is data, and when you talk about zero trust, I think that is the right area of focus, Snyder said during the panel. So, what were doing within Massachusetts is really driving forward from a data perspective and better understanding our data, better understanding different types of data we have, and then working on ways to protect that data.Related:Heidi Shey, principal analyst at Forrester and co-moderator of the panel, sees the guide as applicable to organizations beyond state and federal government. For example, the panelists plan to add a section on supply chain risk.In an interview following the session, Shey told InformationWeek that the guide can help organizations no longer operate in silos as far as data and security.Were talking about really embedding data security controls throughout that entire life cycle and thinking about how we manage data and how we protect it in a much more holistic way, so that these two functions within organizations are not operating as siloed functions anymore the way they historically have been, Shey said. I think thats one of the big takeaways from this guide that people can use to help bring these two groups together on zero-trust data security.Klieve recommended that organizations use the guide to create a zero-trust data implementation road map based on general program management principles. This would include a maturity analysis and gap assessments. After that, organizations could implement their programs as they planned, including examining finances, examining risks, and managing performance. However, she noted that C-suite leaders such as the CISO and chief data officer would need to be consulted on how the budgets would be allocated.Related:Chapter 4 of the guide has a placeholder for the topic Manage the Data. Klieve would like to see this chapter filled with a discussion of alignment of data management to data security as well as how to use data management to minimize data breaches. In addition, the chapter should cover the interaction between data engines and machine learning as it relates to data security, according to Klieve. That includes preparing data for machine learning models.This will become a key document I just keep on my desk all the time, Klieve said. I really want to see it kept up to date.Hernandez said work on the Zero Trust Data Security Guide is in a holding pattern until late January, but then his team will brief the incoming administration on the overall status of all things cybersecurity. He also said the CISO council could add a zero-trust section to the National Institute of Standards and Technologys Special Publication 800-60, which provides guidelines on how to map data to security systems.The Next Level for Zero TrustMeanwhile, in another Dec. 10 panel, Next-Level Your Zero Trust Initiative panelists from the federal government as well as GE Aerospace addressed how government agencies and the private sector can move forward with zero trust.Eric Poulin, senior director for cybersecurity technology strategy and management at GE Aerospace, told the audience that applying the same zero-trust initiatives to all teams would not work.You can design a master zero-trust plan, but at the end of the day, you just try to put one blanket zero-trust plan, youre going to end up alienating certain individual business lines, Poulin said.At the Department of Interior, its zero-trust program manager, Lou Eichenbaum, has built a zero-trust community of practice, over three years, he told the audience. The department respects the separate missions of areas such as the National Park Service, and they all have input into how the department approaches zero trust.Brandy Sanchez, director of the Zero Trust Initiative at the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, stressed the importance of incorporating zero trust in all layers.It needs to be part of every decision and every organization, Sanchez said. Any time you buy software, any time youre procuring something, any time that youre developing a system, all of that has to [incorporate] zero trust as the foundation.The challenge going forward in zero trust will not necessarily be in technology but in people and processes and getting buy-in from leadership and making sure all teams are aligned, according to Carlos Rivera, the panels moderator and a senior analyst at Forrester.Its not just an IT and security initiative; its an organizational initiative, Rivera told InformationWeek following the session. So getting those individuals involved, such as leads from HR, leads from finance, and getting a better understanding of what impacts them and whats important to them, and how do we enable their business and allow them to leverage certain technologies [but] not at the expense of security, thats really where the success will come.Because there are multiple maturity models, Sanchez and her team are working with the Department of Defense on zero-trust guidance.Words are important, and when we say one thing and another agency is interpreting that in a different way, it causes confusion, Sanchez explained during the panel. So anywhere that we can align, and that we can harmonize what we're doing, what others are doing, and get everyone on the same page across the federal government, thats where we want to head.Rivera said organizations have now achieved maturity as far as zero-trust strategy and planning, and now they are moving to implement zero trust into their operations.Sanchez sees the federal government providing more technical deep dives and how-tos around zero trust in the next year or two. Her team will be releasing publications on enterprise mobility and micro-segmentation. Going forward, Sanchez would like to see government agencies focus more on implementing zero-trust strategy based on their risk environment rather than just checking a box.You need to take an adversarial approach where you are looking at zero trust because thats what the bad guys are doing right? They want to get in; they want to get your information, Sanchez said. And so taking a strategic approach based on that view is where you can change the script, and that's really where were trying to push agencies towards, is keeping that in mind and managing at the risk level, versus just checking the box because thats not going to get us near the goal.
0 Comments
0 Shares
6 Views