With President Biden’s cybersecurity executive order (EO) directing Federal agencies to begin moving to zero trust security architectures, agencies already have begun to make the shift. However, progress on zero trust migration – which some Federal officials termed a “paradigm shift” at an ATARC webinar today – will look different for every agency.
IT officials from the Department of Commerce (Commerce), Department of Interior (DoI), and the National Institute of Health (NIH) explained what that journey is beginning to look like, and how agencies can get as close as possible to 100 percent zero trust.
“Where to start is different in every agency,” Allison McCall, CIO of Commerce’s National Technical Information Service, said at the event. “It depends on the number of legacy apps you have, what your environment is, are you already in the cloud, are you on-prem [on-premises], are you hybrid? And really knowing where to start is part of the planning process.”
“I don’t think there’s a set recipe that will work for everyone,” McCall added. “For some of us, starting with building general trust into the new initiatives would be the best approach. For others, it would be starting in other parts.”
Moving to zero trust from a castle-and-moat model of network defense is going to require a culture shift as well as a technological one, and Kris Caylor, associate chief information security officer (CISO) in DoI’s Office of Surface Mining Reclamation and Enforcement, said that will take time to fully implement.
Caylor pointed to the architecture frameworks laid out by the National Institute of Standards and Technology (NIST), the Department of Defense, and the Cybersecurity and Infrastructure Security Agency (CISA) as helpful starting points, but noted that those involve significant technological shifts.
“It’s a paradigm shift,” Caylor said. “This is going to take a lot of work; it’s not something we can fully implement today. We’re just at the beginning of this journey. We have a long road ahead of us.”
“I equate the zero trust to the paradigm shift that we had from mainframe computing, years and years ago, to the Internet, where physical security was the primary approach and we had to move to distributed security of the internet,” Caylor said. “There are technologies out there that we can implement that are pieces of [a zero trust architecture]. But there’s a lot of development of new technology, new protocols that need to be done. So, I think it’s a major approach, and we need to understand that the vision is long term, not short term.”
Samuel Michael, the chief of the technological resources branch at NIH’s National Center for Advancing Translational Sciences, said that such a cultural and technological shift could be harder for more mature organizations, but said that it is crucial that organizations understand the importance and necessity of the change.
“Your organization needs to embrace it across the board, otherwise you’re not going to be successful, Michael said. “And it is very difficult to do … especially if you’re supporting legacy systems.”
He compared the resistance to cultural organizational change – like the move to zero trust – to Spanish painter Salvador Dali’s painting of melting clocks, titled the Persistence of Memory, and said the move will take sustained effort and organization-wide buy-in.
“It’s just incredible how powerful that Persistence of Memory – of what things were – can prevent what things could or should be,” Michael said. “So how do you get that activation energy to get people to think about this in a different way? It really just takes concerted effort but also learning is a process of repetition. Just stay on point and really make sure that you’re constantly taking every opportunity to present on this, even if it’s exhausting, because … without that reinforcement, you just have very little chance of success.”