Zero trust doesn’t have to mean zero info sharing
- By Derek B. Johnson
- May 22, 2020
The zero trust security model assumes malicious intent from users, data and devices both inside and outside the network. Because it can limit data sharing that’s essential to many agency operations, it requires cooperation from both the technology and mission sides of the agency to work, according to Federal Chief Information Security Officer Grant Schneider.
For much of the past 20 years, the federal government has segmented its systems and networks, but allowed authenticated users “to see almost anything in there," Schneider said at a May 18 event hosted by FCW. The choice to give employees "pretty much free rein" if they had the appropriate access privileges was part of a larger shift that has taken place in the federal government to facilitate greater information sharing following 9/11, he said.
"That's great for information sharing. It's a challenge from a security standpoint because it's an opportunity for our adversaries," he said.
Zero trust architectures can help thwart those adversaries by adding device- and location-based data and other trust indicators to the standard login credential when granting or withholding access. But doing so can compromise intended and important access if that security framework does not also factor in mission needs and other contextual data.
To illustrate, Schneider drew on his time as CIO at the Defense Intelligence Agency, when he said he couldn’t tell “whether a Middle East analyst in Germany should be looking at a piece of data or information on China or North Korea or somewhere else. Because there may be a nexus and a connection and a thread that they're pulling on, and I don't want to be the one that's preventing them from connecting the dots," he said. Similarly, a D.C.-based employee's credentials being used from a laptop in the Bahamas could be a clear sign of a breach -- but if that employee is known to be on leave, it could simply indicate an inability to stay off of work email during a vacation.
With zero trust agencies will have to re-evaluate who gets access to what information and under which conditions. Employees physically present in a federal facility might have different access and privileges than they would if they were logging in remotely. Agencies must also get better at tracking and quickly updating when an employee's role (and corresponding access privileges) changes.
The technologies needed to put zero trust in place aren't particularly sophisticated or difficult to implement, Schneider said. What's trickier is ensuring agencies have clear rules for access. Those policies and decisions, he said, are "going to come from the mission side, from the business side who understand their data and their environment," he said. That means CIOs and CISOs must get involved in training those on the mission side on security.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.