Michael Baker is vice president and chief information security officer at GDIT, and chair of WashingtonExec’s CISO Council.
While zero trust may seem like a new term, it was popularized by John Kindervag in 2010 when he was a principal analyst at Forrester. In those early days of cloud computing, Kindervag understood that traditional security models — which assumed that everything inside an organization’s network should be trusted — were outdated. “Never trust, always verify” became the zero trust mantra.
It’s important to note that zero trust is not a solution or a collection of products; it’s a cyber strategy and model. The National Institute of Standards and Technology (NIST) defines zero trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
As organizations have increasingly moved to the cloud and workforces have become more dispersed —particularly over the last two years — people use various devices in numerous locations to access resources inside and outside the enterprise network. The traditional perimeter has dissolved; the user is the new perimeter, and cybersecurity practices must evolve to keep pace.
A New Direction for Federal Cybersecurity
On May 12, 2021, President Biden released his Cybersecurity Executive Order, a wide-reaching document covering numerous areas from improving threat information sharing and supply chain security to furthering detection and response capabilities. The order requires agencies to move to secure cloud services and a zero trust architecture, while mandating deployment of multi-factor authentication and encryption.
This makes zero trust architecture the cyber strategy that will carry our industry into the future, guiding the capabilities, processes, and cyber investments across the entire government. In addition, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) recently published draft guidance documents that provide roadmaps for agencies to transition to zero trust models over the next three years, as well as securely migrate to cloud services.
For many agencies, the biggest question is “where do we begin?” The models from OMB and CISA give agencies a good starting point, helping them set immediate priorities to make positive and substantial change, one step at a time.
It’s important to recognize that while this is a massive culture and mindset change for many organizations, transitioning to a zero trust model will help agencies realize significant benefits — including improved enterprise-wide visibility, simplified IT management, remote workforce protection, a more streamlined user experience, and a data informed defense.
A Holistic Approach to Zero Trust
While the benefits are clear, many agencies may not have holistic, enterprise-wide cyber capabilities, or they may lack key visibility between them. They may face workforce gaps that make it difficult to make the required mindset shift around zero trust principles. Most are managing multi-cloud environments but may not have a solid grasp on what data they have, where it resides, and how its flowing between environments and key business partners. And there are still a lot of agency applications residing on legacy, mainframe, or operational technology upping the ante on cybersecurity complexity and modernization challenges.
Agencies do not have to travel this road alone. They can — and should — work with a trusted technology partner that has the experience, scalability, and holistic approach needed to help them navigate the zero trust journey.
At GDIT, we have worked closely with our Federal customers to adopt the principles of zero trust long before the release of the Executive Order. With more than 3,000 cyber professionals and a partner ecosystem of more than 30 cyber alliances, we bring the most innovative capabilities to the table to address our customers’ toughest cyber challenges.
Our defined Cyber Stack maps closely to the zero trust pillars of identity, device, network, application, and data. We work with our customers every step of the way, helping them define their goals and objectives, map data flows, identify the high value assets, and apply the right set of technologies to enable the adoption or maturation of capabilities supporting zero trust principles.
As agencies reach a certain level of maturity in their zero trust journeys, automation should be a key investment priority. Artificial intelligence (AI) and machine learning (ML) tools can help organizations understand what “normal” behavior looks like in their environment, identify abnormal behavior in real-time, and restrict access until further investigation can occur.
GDIT is taking this even farther by increasing the adoption of AI/ML to detect threats and increase automation through the adoption of advanced Endpoint Detect and Response (EDR) and Security Orchestration, Automation, and Response (SOAR) capabilities. This allows us to develop standard automated playbooks that improve detection and response so our customers’ cyber teams can focus on prioritized events. By adopting zero trust strategies, agencies can increase resiliency to prevent many threats before they happen or react at machine speed when they do.
Identity as the Foundation
Identity, Credential, and Access Management (ICAM) are foundational to a successful zero trust strategy. Organizations must have a strong understanding of their users and system accounts and enforce policies that define who/what should have access to specific applications and resources each time it is requested.
GDIT is currently working with government agencies to build an identity, credential, and access management (ICAM) program, a federated identity service that will help mitigate inefficiencies, facilitate strong authentication to cloud services, provide authorization services with role-based access, and enable better and faster audits of users and resources. Securing identity is a critical cybersecurity strategy in the push toward a zero trust architecture. GDIT is supporting multiple defense and civilian agencies on their zero trust journeys.
And, of course, we are our first customer. At GDIT, we’re accelerating our own zero trust journey, while recognizing that zero trust is a continuous evolution rather than a process with a final endpoint. We are focused on applying zero trust concepts across our enterprise environment as we mature governance needed to manage our architecture moving forward.
As cyber threats continue to grow in frequency and sophistication, agencies must make the shift to a zero trust architecture to protect their systems, data, and users. There is no alternative; this is the future around how we should be prioritizing strategy and investments. While making this shift is and will continue to be challenging, zero trust will ultimately pay huge dividends — enabling broader digital transformation, helping government agencies deliver on their mission, and making it easier and more secure for their users to work productively and safely on any device, from anywhere.
The time to get started is now, and agencies do not need to fly solo. They should lean in with trusted technology partners who can share their experience, methods, and common pitfalls to take a holistic approach to zero trust and drive to real outcomes. At GDIT, we are honored to work with our customers as they make this important shift to improve our nation’s cybersecurity and deliver on their mission