Tips from state and local chief information security officers on moving to zero trust, the importance of backups and why testing response plans is critical.
Understand your processes, people and technology when implementing zero trust, three state and local chief information security officers (CISOs) advised during a June 29 webinar.
That’s because zero trust is not about a single factor, said Andy Hanks, CISO for Montana, who was a panelist on “Strengthening Cybersecurity in State and Local Agencies using Zero Trust,” hosted by the Advanced Technology Academic Research Center.
The first step he took on the Montana’s zero-trust journey was about people: Hanks hired a security architect to be responsible for the effort. For processes, his team looks for ones that are repeatable and scalable, and they are always working to establish control points and metrics. And for technology, they use layer 7, or application-layer, firewalls in addition to security orchestration, automation and response technologies, for instance.
“Zero trust is simply just getting rid of your network perimeter,” Hanks said. “The classic security model is network perimeter-based: You don’t trust anything outside your network, and you trust everything inside your network,” he said. “Zero trust is never trust, always verify.”
An important element of zero trust is a good programmatic approach to identity, added Lester Godsey, CISO for Maricopa County, Arizona.
“I think a lot of organizations, when they hear about zero trust, they tend to focus on individual identity, but zero trust is a lot more comprehensive than that,” Godsey said. “It involves service identity, it involves device identity,” he said. Zero trust means only allowing access to a device or application to those who need it, so “if you can’t define what that resource is, then you have no hope whatsoever of being able to make it on that journey.”
The county is working with Workday to create a single source of truth on identity groups. As part of a new human resources management solution that Maricopa is preparing to roll out, the county discovered that it had no single source of truth for the identity of contractors, interns and volunteers. Departments were managing them individually. It would be difficult to implement zero trust without a single source of truth on identity groups, Godsey said.
James Meece, CISO at Louisville Metro in Kentucky, emphasized the importance of having immutable backups, especially in the face of growing ransomware threats.
“The foundational way to give yourself the most protection from ransomware is to invest in a partner that provides immutable backups,” Meece said. “Those backups have to be strategic on your part: You have to back up the right things at the right time. They have to be verified. You have to make sure the data is pristine and immutable,” he said. And agencies must practice restoring data from a backup. “You have to make sure … that when you try to restore a critical data center asset, that it actually works. Then you build up from there.”
Another major threat the CISOs are battling is supply chain attacks. Hanks said he knows of several vendors threatened with ransomware because the companies are contractually obligated to report them to the state – but those attacks are not public knowledge. He recommended agencies word their contracts so that vendors must notify them of a suspected cyberthreat, rather than waiting for them to verify a breach, which can take days.
“Be as proactive as possible in threat hunting and risk identification,” Meece added. “When you get into the game of being reactive, milliseconds matter.”
All three CISOs touted the importance of an incident response plan that goes through regular testing. For instance, in Montana, Hanks said, he runs at least three exercises a year through a third-party host, noting that the U.S. Homeland Security Department has a strategy and planning team that can help state and local governments run these tests. One of the tests Montana conducts involves public and private entities statewide, another is just for state agencies and the third zeroes in on the IT division.
“If you don’t have a plan, you’re done. That plan needs to be exercised in real-world scenarios, so running tabletop exercises is a very good to way to exercise that plan,” he said. “Include your communications people…. [And] any time you can work with your National Guard in any kind of incident response, that is who you should be working with. As a matter of fact, they should be running the show at that point.”