security defense (deepadesigns/Shutterstock.com)

Zero trust doesn’t have to mean zero info sharing

The zero trust security model assumes malicious intent from users, data and devices both inside and outside the network. Because it can limit data sharing that’s essential to many agency operations, it requires cooperation from both the technology and mission sides of the agency to work, according to Federal Chief Information Security Officer Grant Schneider.

For much of the past 20 years, the federal government has segmented its systems and networks, but allowed authenticated users “to see almost anything in there," Schneider said at a May 18 event hosted by FCW. The choice to give employees "pretty much free rein" if they had the appropriate access privileges was part of a larger shift that has taken place in the federal government to facilitate greater information sharing following 9/11, he said.

"That's great for information sharing. It's a challenge from a security standpoint because it's an opportunity for our adversaries," he said.

Zero trust architectures can help thwart those adversaries by adding device- and location-based data and other trust indicators to the standard login credential when granting or withholding access.  But doing so can compromise intended and important access if that security framework does not also factor in mission needs and other contextual data. 

To illustrate, Schneider drew on his time as CIO at the Defense Intelligence Agency, when he said he couldn’t tell “whether a Middle East analyst in Germany should be looking at a piece of data or information on China or North Korea or somewhere else. Because there may be a nexus and a connection and a thread that they're pulling on, and I don't want to be the one that's preventing them from connecting the dots," he said.  Similarly, a D.C.-based employee's credentials being used from a laptop in the Bahamas could be a clear sign of a breach -- but if that employee is known to be on leave, it could simply indicate an inability to stay off of work email during a vacation.

With zero trust agencies will have to re-evaluate who gets access to what information and under which conditions. Employees physically present in a federal facility might have different access and privileges than they would if they were logging in remotely. Agencies must also get better at tracking and quickly updating when an employee's role (and corresponding access privileges) changes.

The technologies needed to put zero trust in place aren't particularly sophisticated or difficult to implement, Schneider said. What's trickier is ensuring agencies have clear rules for access. Those policies and decisions, he said, are "going to come from the mission side, from the business side who understand their data and their environment," he said. That means CIOs and CISOs must get involved in training those on the mission side on security.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.


Featured

  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.