Threat actors targeting federal networks are not slowing down and continue to pose grave threats. Thanks to the unprecedented SolarWinds supply chain attack, followed by a breach of email servers, the need for federal agencies to assume threat actors have infiltrated federal networks and adopt a breach mentality has hit home. With Log4j as perhaps the most widespread attack yet discovered, it has served to underscore the value of a zero trust architecture and accelerated the government’s adoption of zero trust principles.
To explore the momentum, priorities, and challenges around the evolution to zero trust, MeriTalk and Merlin Cyber surveyed more than 150 federal cybersecurity executives. In part one of a four-part webinar series that explores the findings of the “Zeroing In: 2022 State of Federal Zero Trust Maturity” survey, MeriTalk and Miguel Sian, Merlin’s Vice President of Technology, sat down with Renata Spinks, Assistant IT Director/Deputy CIO of Information, Command, Control, Communications, and Computers (IC4), Marine Corps, to discuss the Identity Pillar. This blog post captures some of the key parts of their conversation.
Note: The views presented by Ms. Renata Spinks, USMC, are hers alone and do not necessarily represent the official views of Department of Defense (DOD) or any of its components. Further, neither Ms. Renata Spinks, the Department of Defense (DOD), nor any of its components expressly or impliedly endorse Merlin Cyber Security, its products, or the views of any of the other panelists of the virtual event.
Renata Spinks: When you think of identity within the big picture of a zero trust architecture, you are trying to make sure the right person has access to the right data, at the right time, and in the right way. Data and identity go hand in hand because what the adversary is after is data. The target is not my network, device, identity, or application. The target is the data. Everything else is how to get to the data. That is how an adversary thinks. To get to the data, you have to be something identified on the network. That is why identity is so critical.
Miguel Sian: To use an analogy of Jenga blocks, if you pull out the identity block, everything crumbles. The application, data, network, and device pillars all rely upon a mature process for identity management. If you don’t have a functioning identity management system that allows you to authorize and provision least-privilege access, then you are exposed to potential threat actors. Low-hanging fruit from the Executive Order that agencies could implement today is phishing-resistant multi-factor authentication (MFA). That should be table stakes at this point.
Spinks: Visibility and analytics will be a challenge, but not because the technology doesn’t exist. As agencies move to the cloud, command and control for identity access and control is shifting to platforms like Google Workplace, Office 365, and other services. Those platforms and services come with inherited capabilities that help us get visibility. Because there is so much big data coming at you, the challenge is designing a process to integrate every segment of these multi-faceted approaches for visibility. If we are not capturing the right data, and putting in place the analysis that is needed, access on the other end is going to be just as flawed. We have to make sure we provide the right data, categories, and attributes for these advanced analytics to do their job in an efficient manner.
Sian: Visibility and analytics validate the importance of having a single identity store that allows you to perform advanced analytics with high fidelity and speed, because the last thing you want to do is affect the user experience. OMB Memo M-22-09, Moving the U.S. Government Toward Zero Trust, discusses combining multiple data sources and data telemetry, such as user context data with device context data, to make intelligent and timely decisions for granting access.
Spinks: Automation provides three things. First, it minimizes the risk of human error. The probability of error goes down when we are using clear processes to automate systems. Second, it forces a deliberate approach to process, such as how to authenticate a user, because you can’t automate a process if you don’t understand the process. Third, it gives you speed. We have to be able to keep up with adversaries who are using numerous automated techniques. Reduced risk, clarity, and speed is why automation is so critical. Now, you follow that with cloud because of the robust infrastructure and scale the cloud gives you. We see the cloud and automation as joined together and these are our areas of focus.
Sian: To add to that, cloud enables many of the principles of zero trust. Namely, more automation, programmability, speed, scale, and inherent security protections. Cloud adoption was accelerated largely by the pandemic. Now, government agencies realize that cloud is not such a bad thing. The cloud helps us accelerate our mission and gives us a better security posture. By leveraging it to the best of our abilities, we can eliminate a lot of the complexity of legacy systems and check the boxes in meeting some of the zero trust objectives.
***