When implementing a successful zero trust architecture, Federal chief information officers (CIOs) and chief information security officers (CISOs) encourage agencies to look towards modernization and to think of zero trust as an “integration architecture.”
Steven Hernandez, CISO and director of information assurance services at the Department of Education, said looking to modernization is one of the key reasons he believes the Technology Modernization Fund (TMF) recently awarded his agency $20 million to create and implement a zero trust architecture (ZTA) plan.
“The ideas around modernization and transformation in that space, especially in cybersecurity, have never been more poignant for us than they are right now,” Hernandez said during an AFCEA Bethesda Chapter event Oct. 13. “I think that’s one of the reasons why our TMF proposal went forward was we talked about ZTA in modernizing and advancing and delivering better cybersecurity, better risk visibility, throughout our department.”
Gerald J. Caron, CIO and assistant inspector general for information technology at the Department of Health and Human Services, Office of the Inspector General, agreed with Hernandez that zero trust architectures can modernize an agency, but also reminded the audience that zero trust requires a large integration effort.
If zero trust is not fully integrated with other aspects of an agency’s IT operations, Caron said agencies will be very limited in their zero trust efforts as well as their risk visibility throughout the agency.
“It is an architecture, it’s an integration effort. It’s not go buy the tool off the shelf, plug it in, I’m done, have a nice day with zero trust. It’s really an integration effort,” Caron said. “The real thing I think with zero trust that I stress all the time when I talk about it: it’s an integration effort.”
Amber Simco, deputy CISO at the National Institutes of Health (NIH) agreed with Caron that integration is key to reaping the benefits of zero trust.
“When we start talking about tools for managing this, we can very easily fall into the shiny object syndrome and get distracted by all that,” Simco said. “And we also can end up investing a lot of hope in that once we get this one tool that everything is going to be okay. And it’s really a false sense of reassurance that some of these tools can give us. And so there has to be a lot of attention and time paid into making sure we are getting what we need.”
Although Caron and Simco stressed that zero trust requires an attention and integration effort, Hernandez reminded the audience that zero trust will make the user’s life a lot easier once it’s integrated.
“One of the beautiful parts about zero trust is if we do it right, there’s less burden on the actual user, and that sounds odd given some of the comments we’ve made about… ‘wow the user is going to be really busy reauthenticating all the time,’ and the answer is no. No, they’re not. And that’s part of the beauty is that all that gets automated.”