Before the COVID-19 pandemic forced hundreds of thousands of Federal employees to remote work environments, zero trust was mainly a concept in the minds of cybersecurity experts that had not been fully actualized. But as telework has become the new normal, enabling zero trust capabilities is a key goal for various agencies.
“One of the things we found almost immediately was our capacity through VPNs, just to try and keep everybody teleworking at home, we choked on it very quickly,” said Christopher Cleary, CISO for the U.S. Navy, during the Federal Executive Forum’s Zero Trust in Government 2020 webinar on Nov. 24.
Those telework-driven realities – and the resulting expansion of attack surfaces that telework creates – has led to a greater focus on zero trust concepts. “Zero trust really is a construct – it’s not a product, although there are lots of companies that would like to make you believe it’s a product,” the Navy CISO said.
Cleary said the Navy is trying to figure out – because it’s such a large service branch – how to architect zero trust “a little bit differently” and orient it to be more suitable for the department, with the cornerstone of that being identity.
“We’re really pushing identity strategy through the department because for us to really get to a true zero trust environment, you need identity,” he said.
Before the coronavirus pandemic, agencies were still looking at zero trust as an interesting concept, but not as a practice to be considered with urgency. Pre-COVID, he said, there would be briefings on zero trust as the “new, shiny thing,” but they were just that: briefings.
“I guess the analogy would be ‘never let a good crisis go to waste’ or a lot of these things that we were trying to do, but just being overcome with other events,” the Navy CISO said. “You can only imagine the breadth and scope of priorities, different projects, and different initiatives that go on within an organization of 800,000 people, a million email addresses, and 240 networks to one degree or another, whether accepted or unaccepted that we’re trying to manage … but this has allowed us to address, at the Department of the Navy, a new way of thinking.”