In 2021, President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity,” which mandates that all government agencies adopt a zero trust architecture. The National Institute of Standards and Technology (NIST) guides what this architecture should look like. However, many agencies are still searching for the best way to implement zero trust within their environment. Now a year later, on June 1, 2022, at the Zscaler CXO Summit, Public Sector Zero Trust Fundamentals, Zscaler leaders were joined by public sector security professionals to hear about their approach to zero trust.
I had the privilege of setting the stage with some myth-busting and clarity. In essence, you need to ask where your users are, and determine what applications and data you need to protect—then you’re well on your way to zero trust.
Keys to zero trust for public sector agencies
After my opener, we welcomed a panel of senior cyber professionals who discussed what it really means to adopt a zero trust architecture and shared best practices for doing so.
Michael Baker leads the IT transformation at DXC, a technology consulting firm for the government. He describes zero trust as the “strategy wrapper” around which you can package the five pillars of NIST—but how you do it will depend on the context you work in. In his role as IT CISO, he realized that “the number one thing a CISO has to do is define how to communicate this strategy as it relates to my own environment.”
On the cusp of implementing new zero trust technology, he prioritized these actions:
- Understand the operational impact: In order to measure productivity in a zero trust environment, establishing metrics around throughput is an essential guidepost. For example, Baker pointed to “a study DXC did on availability and throughput of Zscaler technology, which was on par with what we were producing and gave us much more telemetry.”
- Understand the endpoint impact: Baker points out that remote work has changed how we think about access—and endpoints have become the anchor of many security tools. A key question to ask is how will zero trust impact the performance of users’ endpoints?
- Understand the user experience impact: How do we protect users at all times? Baker knew that “specific user action won’t always happen, so we had to change the way we thought about connecting remotely. Zscaler allowed us to apply policies to users that they may have grown accustomed to not following.”
Security won’t work if it impedes performance
Cyber Portfolio Program Manager Rick Simon began the secure cloud management initiative at the Defense Innovation Unit in 2019: “Our objective was to efficiently collaborate with technology companies.”
He recalled their challenge when the Department of Defense (DOD) asked his organization to adhere to DOD security requirements. As he noted, “All of our business is in the cloud, which is impossible to do if you’re passing through a rigid perimeter like a cloud access point (CAP) at the DOD. We wanted to connect directly over the internet without passing through the CAP but still provide the same security and control.” After implementing Zscaler, he and his team surveyed their users and found that “92% experienced no added delay or minimal delay.”
Take into account the people factor
When embarking on the transformation to zero trust, David Cagigal, former CIO for the State of Wisconsin, stressed understanding the users, organizational culture, and staff skill levels. He also added that there might be a potential need for a change in leadership with the right experience to drive the zero trust initiative forward.
As a state CIO, he experienced first-hand the criticality of the infrastructure on everything downstream from the power grid. He cautioned leaders “to give careful consideration to the new environment they are building because not doing so is like building a castle on sand.” Cagigal continued, “Where we need to be is cloud-native and least privilege. It’s not for the faint of heart, but you’ve got to move from where you are to where you need to be—and, hopefully, with strong leadership.”
Scope and impact of the executive order
Zero trust is not a single technology or solution but rather a comprehensive approach to security. To implement it, you need multiple modern security technologies. At Zscaler, the executive order that brought this charter to the public sector didn’t change much about how we operate. “But it did affect our customers,” noted Stephen Kovac, Chief Compliance Officer and Head of Global Government Affairs at Zscaler. “We were already prepared and living in the zero trust world,”
The EO set out some bold statements, such as not relying on VPN, recommending the move away from traditional boundary protections, and allowing access to certain applications on the internet. These prescriptions challenged the traditional security environment at many government agencies.
Danny Connelly, CISO- AMS Central & Public Sector at Zscaler, recognized the difficulty: “Zscaler was built from the ground up based on real attack vectors with operational security at the forefront. It is a fine line to balance true operational security and compliance.” Kovac agreed: “Our environment is completely different from a standard security environment, and this allows us to answer compliance controls in a modern way and to educate auditors and consultants who look at it from a different view.”
There are two key government programs that will help facilitate zero trust transformation. As defined by the U.S. General Services Administration (GSA), the Federal Risk and Authorization Management Program (FedRAMP) is “a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” The other program that advances zero trust is Open Security Controls Assessment Language (OSCAL), a set of formats will enable machine-to-machine communication and help agencies move to a zero trust architecture faster. Kovac noted, “I’m proud to say that Zscaler has implemented OSCAL, and we will start transmitting our controls electronically, which will help FedRAMP tremendously.”
Leadership in a time of uncertainty
Lieutenant General Mark Bowman, former Joint Chief of Staff, J6/CIO and U.S. Central Command, is not new to adopting new technology in difficult times. He likened the current public sector modernization to a simple legacy technology replacement cycle and noted that innovation is what government agencies really need. He pointed out that “Innovation is finding a game-changing technology and implementing it, even if it meets only 70% of the stated requirements.”
Bowman argued that “Requirements are important, but we can’t wait on a perfect solution. Instead, we can continue to evolve over time.” He referenced the infamous Department of Defense (DOD) Joint Tactical Radio System (JTRS) program as an example of ballooning requirements and increasing costs, resulting in little to show for the effort and investment.
He urged agencies, “to move, to lead…you can’t use challenging times as an excuse.” Bowman believes that there are three prerequisites to change:
- You have to really want to change and convince the C-suite that the organization must change.
- You need to run a pilot with a subset of the organization, starting with 10,000 seats or less.
- You need to find funds within a support contract or divert deprecated legacy technology.
Bowman offered a clear framework of choice when facing cybersecurity challenges:
- Clarity versus certainty: Make a decision when you have enough information. If you wait for absolute certainty you won’t have as many options.
- Trust versus invulnerability: Trust has to be earned, and, it is instilled in teams, the customer will take notice.
- Accountability versus popularity: Everyone should be accountable for what they do or don’t do.
- Conflict versus harmony: Choose conflict, take in and consider opposing views, make the decision, and execute.
Making bold changes
As President Biden stated in his executive order, “Incremental improvements will not give us the security we need. Instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
We heard from CIOs, CISOs, and a former Joint Chief of Staff on the importance to move ahead in the face of uncertainty. Peter Amirkhan, Senior Vice President, Public Sector at Zscaler, closed out the summit by underlining the role that culture and leadership play in this transformation: “In 2020, we saw how fast agencies can move when bureaucracy was moved aside and, with all of our clients, there was always a change agent at the top involved in making this decision.”
What to read next
A dollar is a dollar: Communicating zero trust to public officials
Fed agencies must empower CISOs as clock ticks to designate zero trust leads
The CIO Evolution podcast: One nation under zero trust: sizing up the OMB’s cybersecurity memorandum