While a zero trust architecture is only required for federal agencies, state and local chief information security officers are considering ways the buzz around the strategy can help them boost their cybersecurity posture and prepare for a zero-trust future.
While state and local governments are not required to implement zero trust, their chief information security officers are watching how federal agencies roll out their programs and positioning their enterprises to be ready, according to CISOs speaking at an ATARC April 20 cybersecurity panel.
“Whenever the federal government does something, we obviously want to pay attention and we want to be in lockstep,” said Lester Godsey, CISO of Maricopa County, Arizona. “And frankly … it's additional fodder for me to go back to my management and say this is something we need to pursue.”
For Maricopa County, the timing of President Joe Biden’s cybersecurity executive order 14028 that requires federal agencies to accelerate zero trust has been fortuitous. The county has been re-evaluating its enterprise network holistically and looking at identity and access management – for users, devices and services. “As a result, we're baking in the need to migrate eventually to zero trust-based enterprise network,” Godsey said.
A zero trust security posture will also help with insider threats, he said.
“If we can get our arms around identity, then we have a better basis by which we can then determine if there's anomalous behavior,” he said. “Our success along those lines is going to be predicated by our ability to make that zero trust journey for the enterprise as a whole.”
“The journey for zero trust is ongoing” said North Dakota CISO Michael Gregg. “I would say it's not so much the technology piece of it, that's certainly part of it. But the other side is the process and the people -- getting everything moved over, which certainly takes considerable amount of time and work.”
And while zero trust is a big lift with lots of moving parts, the hype aspect of “a zero trust strategy” is something that shouldn’t be ignored.
“Zero trust is the new buzzword, but to what extent does this differ from what we used to call role based access control?” said Jim Richberg, public sector field CISO and vice president of information security with Fortinet. “That's not something that gets people excited. Zero trust really does.”
It may just be that “zero trust is a rebranding of least privilege for the cloud,” said Alex Jackson CISO of the South Carolina Department of Revenue. “In a risk-averse, high-posture environment, it gives some encouragement or some hope to organizations that that want to move toward the cloud in that this marketing term says, ‘Hey, you can move towards the cloud and have a secure environment as well.’”
Capitalizing on what’s top of mind also offers a good opportunity to get funding, according to Mike Watson, CISO at Virginia Information Technologies Agency.
“As security professionals, I think we've spent a long time trying to just make sure that we've got the right tools in place to be able to see what's happening, respond to events, and I'll say contain issues that exist in our network. Now we're starting to move towards pushing those security controls closer and closer to the data, which is sort of the basis for zero trust, right?” he said.
Watson said he’s optimistic “that this is going to help our local [governments] and get us in a really great spot in the future.” But while it may make it easier for them to get some capital investment, it doesn’t “fix the underlying problem of some sort of actual dedicated budget to cybersecurity, at our local levels, which we know is generally not there.”
Now that “zero trust” is the accepted term for the range of security controls required for protecting the enterprise network, “we're all speaking that same language,” he said. “That’s probably the best thing that's come out of it.”