Security is top of mind for the Biden administration, particularly as incidents such as the Microsoft hack, SolarWinds breach and the water treatment hack in Florida underpin the need for the U.S. government to do more to defend critical infrastructure nationally. With the new cybersecurity bill on the horizon, the federal government is taking a pivotal step in making resilient, remote cybersecurity measures more of a reality with a zero trust framework.
Here, Security spoke to Bill Wright, Director of Federal Government Affairs at Splunk, for a deeper dive into strategies federal organizations can use to facilitate expedited zero trust adoption.
Security: What is your background, current role and responsibilities?
Wright: I spent about 20 years working across the legal, policy, and operational spectrums of national security, counterterrorism, and cybersecurity. Like many of my contemporaries, the attacks of 9/11 pulled me to government service and brought me to D.C. Prior to joining Splunk back in 2018, I spent my career split between Capitol Hill and the Executive branch. I’ve held roles as Staff Director and General Counsel for two U.S. Senate Homeland Security and Governmental Affairs Subcommittees focusing on homeland security, federal contracting, and government IT. And before the Senate, I worked for the U.S. Department of State as a foreign affairs officer and in the Office of the Director of National Intelligence as a Senior Operations Officer in the National Counterterrorism Center Operations Center (NCTC). My background has given me a unique perspective on cybersecurity, the value of data and the necessity to lower barriers for information sharing.
Security: Why are federal agencies taking an increased interest in Zero Trust?
Wright: The cynic in me would say that federal agency interest in Zero Trust is heavily guided by President Biden’s May Executive Order mandating each agency adopt secure cloud capabilities, new architectures (such as zero trust) and more secure technology capabilities (such as multi-factor authentication and encryption). But the truth is that many agency leaders had already begun introducing these concepts and capabilities well before the mandate came down.
Even to the casual observer, this last year’s torrent of cyber attacks demonstrated the need to do much more to secure our government systems. Years of underinvestment and a stubborn reliance on legacy software caught up with us in a dramatic fashion. Organizations used to approach cybersecurity by building a hardened perimeter – one that would keep the adversary from infiltrating from the outside. But, as we have seen all too often when a threat penetrates the network and breaches the perimeter, the adversary has free reign to move laterally across the network as well as any connected systems, compromising assets and causing irrevocable damage. In the wake of COVID-19, high-profile breaches such as SolarWinds, accelerating cloud migration, and an ever-expanding digital attack surface mean that a shift in mindset is all the more critical. Moreover, with the rise of remote work and mobile, hybrid and multi-cloud adoption surging (75% of cloud infrastructure users are multi-cloud today), new technologies and IT environments are opening up attack vectors faster than they can be secured. To address this change, we need to evolve our approach to cybersecurity, and that evolution leads itself to Zero Trust adoption.
Security: What are some strategies federal organizations can use to facilitate expedited Zero Trust adoption agency-wide?
Wright: From a data perspective, there are several steps organizations can take to accelerate their Zero Trust journeys. Always start by identifying your organization’s most critical assets — specifically, what you need to protect and monitor in order of priority. Once you’ve triaged your assets, you’ll have a much better idea of where you should be allocating resources and where to start instrumenting and collecting data.
From there, contextualize, enrich and augment your data. To understand your data, you have to implement a standard taxonomy across all data sources — otherwise, you’re left with a whole lot of noise. Creating a taxonomy for your data will eliminate much confusion, especially as you continue to level up on your security journey. Leverage tools that provide even more context into your data, like threat intelligence, information from vulnerability and patch management tools, and attack surface management solutions.
Finally, define advanced security detections with risk-based alerting (RBA). This will help guarantee the fidelity of the threats in your queue and minimize alert volume. The goal here is to think about: 1: the policies surrounding your zero trust architecture, 2. What users typically do with the systems they have access to, and 3. how to identify patterns of behavior that could be indicative of unusual or malicious activity.
It’s important to keep in mind that achieving a comprehensive zero-trust policy involves a range of integrated components, but together, these controls provide the necessary data and insights for centralized effective monitoring and policy enforcement.
Security: What are some key steps to evaluate zero trust security frameworks?
Wright: Across the breadth of zero trust frameworks, several tenets go into cultivating a successful zero trust security program:
- All data sources and computing services need to be considered resources.
- All communication needs to be secured regardless of where a network is.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application and the requesting asset — and may include other behavioral attributes.
- The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure they remain in the most secure state possible.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
But remember, true zero trust principles should extend beyond just technology. The framework must be embraced within the processes and teams supporting the organization in order to reach its full effectiveness and potential.