Implementing a Zero Trust architecture is mandatory for all federal agencies, but how that architecture is implemented is highly dependent on the operational and business needs of individual agencies.
At the Department of Homeland Security (DHS), implementing any kind of Zero Trust framework means adding security measures not just outside the network, but also around data and user access, says Homeland Security. A senior ministry official said in a speech on Aug. 15. Event sponsored by Nextgov/FCW.
Kenneth Bible, DHS Chief Information Security Officer (CISO), said federal agencies have long sought to protect their networks by investing in what many cyber experts call a “castle and moat” security framework. I explained.
“We saw it as our job to identify, protect, detect and respond to network intrusions and build bigger and taller walls around information governance,” he said. . The idea was to “focus on the outside of our network, while giving users free and clear access within our network to discover, connect and use most of our resources. .”
“We thought our job was primarily to keep the bad guys out of the network, but our network-centric defenses just couldn’t keep up with the pace of threats,” added Bible.
DHS continues to invest in the security of the network’s exterior while adopting a data-centric approach where identity security measures are key and committed to granting information access to users on a session-by-session basis. This authority connects identity and user behavior with device and network security.
“We examine behavior, compare it to known attack vectors and known patterns of normal behavior, and block what looks suspicious even when traditional static firewall rules don’t apply,” says the CISO. said.
According to the Bible, identity is becoming an increasingly popular target for bad guys. DHS therefore focuses on making user credentials more secure and harder to steal, striving to “lock down more networks and systems with identities.”
However, implementing any kind of Zero Trust security measures, including identity security, shouldn’t mean moving away from delivering a great customer experience. A common question in cybersecurity discussions is how security measures affect the customer experience.
“As an agency, we need to manage and balance customer experience with privacy, security and identity security,” said Bible.