Threat actors targeting federal networks are not slowing down and continue to pose grave threats. Thanks to the unprecedented SolarWinds supply chain attack, followed by a breach of email servers, the need for federal agencies to assume threat actors have infiltrated federal networks and adopt a breach mentality has hit home. With Log4j as perhaps the most widespread attack yet discovered, it has served to underscore the value of a zero trust architecture and accelerated the government’s adoption of zero trust principles.
To explore the momentum, priorities, and challenges around the evolution to zero trust, MeriTalk and Merlin Cyber surveyed more than 150 federal cybersecurity executives. In part one of a four-part webinar series that explores the findings of the “Zeroing In: 2022 State of Federal Zero Trust Maturity” survey, MeriTalk and Miguel Sian, Merlin’s Vice President of Technology, sat down with Renata Spinks, Assistant IT Director/Deputy CIO of Information, Command, Control, Communications, and Computers (IC4), Marine Corps, to discuss the Identity Pillar. This blog post captures some of the key parts of their conversation.
Note: The views presented by Ms. Renata Spinks, USMC, are hers alone and do not necessarily represent the official views of Department of Defense (DOD) or any of its components. Further, neither Ms. Renata Spinks, the Department of Defense (DOD), nor any of its components expressly or impliedly endorse Merlin Cyber Security, its products, or the views of any of the other panelists of the virtual event.
MeriTalk: Research shows 78% of federal cybersecurity decision makers feel a strong sense of urgency for implementing zero trust and 73% are aggressively adopting zero trust principles. Also, 75% of DoD and 67% of civilian agencies rank identity as the most important pillar. What makes identity such a critical part of the zero trust equation?
Renata Spinks: When you think of identity within the big picture of a zero trust architecture, you are trying to make sure the right person has access to the right data, at the right time, and in the right way. Data and identity go hand in hand because what the adversary is after is data. The target is not my network, device, identity, or application. The target is the data. Everything else is how to get to the data. That is how an adversary thinks. To get to the data, you have to be something identified on the network. That is why identity is so critical.
Miguel Sian: To use an analogy of Jenga blocks, if you pull out the identity block, everything crumbles. The application, data, network, and device pillars all rely upon a mature process for identity management. If you don’t have a functioning identity management system that allows you to authorize and provision least-privilege access, then you are exposed to potential threat actors. Low-hanging fruit from the Executive Order that agencies could implement today is phishing-resistant multi-factor authentication (MFA). That should be table stakes at this point.
Overall, 77% of DoD and 75% of civilian agencies say reaching optimal maturity for the Identity pillar will be a challenge. Starting with visibility and analytics, 83% of DoD and 78% of civilian agencies view this as somewhat or very challenging. Because this goal defines optimal maturity as centralizing user visibility with high-fidelity attributes and user and entity behavior analytics, can you talk about the challenges?
Spinks: Visibility and analytics will be a challenge, but not because the technology doesn’t exist. As agencies move to the cloud, command and control for identity access and control is shifting to platforms like Google Workplace, Office 365, and other services. Those platforms and services come with inherited capabilities that help us get visibility. Because there is so much big data coming at you, the challenge is designing a process to integrate every segment of these multi-faceted approaches for visibility. If we are not capturing the right data, and putting in place the analysis that is needed, access on the other end is going to be just as flawed. We have to make sure we provide the right data, categories, and attributes for these advanced analytics to do their job in an efficient manner.
Sian: Visibility and analytics validate the importance of having a single identity store that allows you to perform advanced analytics with high fidelity and speed, because the last thing you want to do is affect the user experience. OMB Memo M-22-09, Moving the U.S. Government Toward Zero Trust, discusses combining multiple data sources and data telemetry, such as user context data with device context data, to make intelligent and timely decisions for granting access.
When asked which of the high-level trust goals are most important to your agency, civilian agencies rate enabling safe use of cloud services as most important, and DoD agencies rate intelligent automation of security actions as most important. Why do you believe that is so?
Spinks: Automation provides three things. First, it minimizes the risk of human error. The probability of error goes down when we are using clear processes to automate systems. Second, it forces a deliberate approach to process, such as how to authenticate a user, because you can’t automate a process if you don’t understand the process. Third, it gives you speed. We have to be able to keep up with adversaries who are using numerous automated techniques. Reduced risk, clarity, and speed is why automation is so critical. Now, you follow that with cloud because of the robust infrastructure and scale the cloud gives you. We see the cloud and automation as joined together and these are our areas of focus.
Sian: To add to that, cloud enables many of the principles of zero trust. Namely, more automation, programmability, speed, scale, and inherent security protections. Cloud adoption was accelerated largely by the pandemic. Now, government agencies realize that cloud is not such a bad thing. The cloud helps us accelerate our mission and gives us a better security posture. By leveraging it to the best of our abilities, we can eliminate a lot of the complexity of legacy systems and check the boxes in meeting some of the zero trust objectives.