As telework and cyber threats are both ever-increasing, the move to zero trust security concepts is needed as a generational shift in security strategy for Federal agencies to stay one step ahead of adversaries, cybersecurity experts said April 7 during FCW’s Zero Trust Workshop.
Tony Plater, the acting chief information security officer (CISO) at the U.S. Department of the Navy (DoN), talked about why the switch to zero trust is vital and how the Navy has benefitted from the change.
“Today’s cyber warfare, for the DoN is somewhat more complex than traditional warfare in certain ways because it’s unpredictable. You have no rules of engagement and your adversaries may be unknown,” Plater said during a panel discussion. “We have to assume that we have been, or we will be breached. This makes zero trust important where we go next. Success depends on rapidly understanding the environment to make decisions faster than the adversary.”
Before implementing zero trust, Plater said the Navy’s traditional security architecture was “problematic,” and he welcomed the switch to a new security strategy.
“Zero trust offers a fundamental or paradigm change to security and data sharing across DoN networks. We now operate from a perspective that the network has been breached or will be breached at some point,” Plater said. “From a security perspective, zero trust architecture will better enable the DoN to track and block external attackers, while limiting security breaches from internal human error.”
In a separate panel discussion, Alma Cole, chief information security officer (CISO) at the U.S. Customs and Border Protection, agreed that the old security model was “a huge challenge” when it came to besting adversaries, but also stressed that zero trust will take a long time to implement.
“You have to understand that this is definitely, for zero trust, going to be a very, very long-term marathon, and it’s something where you’re going to be building on and getting some initial capability, and then refining that capability over time,” Cole said.
Cole said his agency is still in the “basic” stages of implementing zero trust, but says it’s better to take a slower approach and ensure every zero trust policy is in place from the start.
“I’m trying to get the zero trust policies implemented upfront,” Cole said. “You’re much better off if you can actually do that from the beginning versus having it all open and then having to reverse and lock down later on.”