Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.
Hubbard Radio Washington DC, LLC. All rights reserved. This website is not intended for users located within the European Economic Area.
Date: On demand
Duration: 1 hour
It’s been clear since the term “zero trust” first landed in the federal sector that ensuring the identity of the user is central to implementation.
The Cybersecurity and Infrastructure Security Agency (CISA) said in its zero trust maturity model that agencies must move away from simply using passwords to validate identity and instead use a combination of factors to validate and continuously verify that identity throughout the duration of their...
Date: On demand
Duration: 1 hour
It’s been clear since the term “zero trust” first landed in the federal sector that ensuring the identity of the user is central to implementation.
The Cybersecurity and Infrastructure Security Agency (CISA) said in its zero trust maturity model that agencies must move away from simply using passwords to validate identity and instead use a combination of factors to validate and continuously verify that identity throughout the duration of their interactions with services or data.
The challenge, of course, is agencies have been working on identity and access management for the better part of 20 years.
In the build up to the zero trust mandate, we saw the Office of Management and Budget and the National Institute of Standards and Technology update key policy memos and technical guidance. They both addressed new challenges and opportunities to manage identity and access management (IDAM) like cloud, robotics process automation and managing a hybrid environment where some applications will live in the cloud and some will live in on-premise data centers.
As agencies take advantage of the new policies, technical guidance, and, of course, innovations coming from the private sector, they have already been evaluating and remapping their plan to strengthen and expand IDAM.
Among the questions that emerge is how best to move into a micro-segmentation architecture to protect systems and data, what is the data you are trying to protect and at what impact level and how to balance security with ease of use.
The first step to achieve that balance is to reduce the number of identity sources of truth agencies have built up over the last two decades.
Creating services for all to use
Robert Costello the chief information officer at the CISA in the Homeland Security Department, said getting down to one source of truth for managing identities will help create a single-sign on for the enterprise.
“We’re going to provide a lot of the zero trust solutions like remote access and other things. So my role won’t be to develop those mission systems that are happening in the cybersecurity area, but I want to provide that strong foundation that people can build off of,” Costello said during the panel discussion Adopting the Zero Trust Security Model.
Sean Frazier, the federal chief security officer at Okta, said it’s not all that unusual for agencies to have 20 or more sources of truth to manage their identity management processes. He said as agencies deployed new applications and added identity on top of it to enhance security or many just used the capabilities that came with the software.
“As we think about identity now, we look at identity as critical infrastructure to get access to the applications and also as the most attractive front door for attackers, for obvious reasons. It behooves us and it’s one of the reasons why some of the guidance has come out of CISA and out of OMB has been to get your security, your single sign-on security house in order by moving to a common enterprise service that you provide to your organization that is secure,” Frazier said. “The device context is also key to make sure the device is in good stead and the user is in good stead, and you can do that at wire speed when users request things.”
To get to point where a single sign-on services can make decisions at wire speed, agencies have to understand who their users are.
Beau Houser, the chief information security officer at the Census Bureau in the Commerce Department, said his office is creating personas for those who interact with the agency, whether employees or citizens.
“We have every persona to think about as we move into more of a zero trust approach. We’re exploring services…to meet those users where they are, whether it’s the business community, the general population or a federal partner,” he said. “If they already have a Login.gov account or if they have an Okta account or an ID.me account. We want to be able to leverage those services with our services so we’re trying to work that into our redesign for our internal users. The question I ask is, how do we dial up the rigor if this is a privileged user? With the general population, obviously, you can’t require a specific device. But for a privileged user, I can absolutely require a specific device, and I can maintain the awareness of the device that they’re using.”
Continuously verify access
Houser said the personas will also help the Census create its future state of technology.
“We’re working now on an enterprise survey system and we’re incorporating the zero trust principles, natively, inherently, look using some of the lessons learned that we’ve already used and maximizing things like our cloud capabilities,” he said. “You’ve got cloud; you’ve got zero trust; you’ve got secure access service edge (SASE) as the replacement for the traditional VPN. All these components come together to give you many, many more tools in your toolbox to be very surgical with the access and then continuously verify the access.”
Costello added auditing privileged users is something he’s spending a lot of time on.
“How do I temporarily escalate privileges? How am I auditing that? How am I going through that? We learned very quickly that while we never want an account compromised, when certain accounts are compromised, it is very difficult to recover from those events in certain environments,” he said. “SolarWinds, I think, was something that taught us what we have known for years, when we run into these situations where the keys to the kingdom or those privileged accounts or are compromised, that’s something that is very difficult to recover from.”
He said CISA is looking to partner with software providers to ease the burden on employees as they are proofing people against the agency’s policies.
Larry Kiger, America’s lead for security and compliance of the world wide public sector at Amazon Web Services, said implementing micro segmentation on your network can improve privileged account security as well as take advantage of more rigorous identity and access management capabilities.
“I just got finished with a conversation with one of our partners on [in May] that is a large DoD provider, and they specifically were talking about how do they separate, their FedRAMP high networks from their DoD impact level 5 or 6 networks and still support their customers?” Kiger said. “That really is all about micro segmentation at that point.”
Learning objectives:
This program is sponsored by
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.
Chief Information Officer, Cybersecurity and Infrastructure Security Agency
Chief Information Security Officer, Census Bureau
Executive Security Advisor, World Wide Public Sector, Amazon Web Services
Federal Chief Security Officer, Okta
Executive Editor, Federal News Network
Chief Information Officer, Cybersecurity and Infrastructure Security Agency
Robert (Bob) Costello is the Chief Information Officer (CIO) at the Cybersecurity and Infrastructure Security Agency (CISA). As the CIO, he leads the Agency’s efforts to develop, deploy, secure, and support technology solutions for the agency.
Bob brings a wealth of experience serving over 13 years at DHS, both at Immigration and Customs Enforcement and Customs and Border Protection. He also served as the Senior Executive Service as the Executive Director (XD) of the Office of Information and Technology (OIT) Enterprise Networks and Technology Support Directorate (ENTSD) at CBP, as well as serving concurrently in the role of Acting XD of the Border Enforcement and Management Systems Directorate. During his tenure in ENTSD, he oversaw the modernization of the largest data network in DHS, improved connectivity to cloud service providers, and dramatically increased the agency’s usage of mobility platforms. He also oversaw the agency’s movement to the TIC 3.0 framework and implemented zero trust solutions at the network level. He led the operations of the agency’s land mobile radio network, the National Law Enforcement Communications Center, and maintenance of the non-intrusive inspection systems utilized at all ports of entry. He also directed all software development for the U.S. Border Patrol, and all of the agency’s mission support systems, moving over 100 applications to a SECDEVOPS development methodology. He was also heavily involved in implementing IT solutions for COVID-19, redesigning remote access solutions and deploying several new applications.
Chief Information Security Officer, Census Bureau
Beau Houser is the Chief Information Security Officer (CISO) for the U.S. Census Bureau, U.S. Department of Commerce. He is responsible for managing and executing cybersecurity responsibilities in support of critical and complex business programs including the decennial census, demographics and economic statistics. Prior to joining the Census Bureau, Mr. Houser served as the CISO for the U.S. Small Business Administration. He has also served as the Deputy CISO for the Centers for Medicare and Medicaid services.
Mr. Houser holds a Master’s Degree in Cyber Systems from the Naval Postgraduate School and a Bachelor’s degree in Information Technology from Barry University. He is also a Certified Information Systems Security Professional (CISSP) with a concentration in Engineering
Executive Security Advisor, World Wide Public Sector, Amazon Web Services
Larry Kiger is on a mission to educate and help information technologists and executives grow their understanding of IT Security and Compliance in the Cloud. He Joined Amazon Web Services (AWS) in 2019 and now serves as a Senior Executive Security Advisor, Worldwide Public Sector team. His customers include Department of Defense NATSEC, National/Federal governments, and Partners, in the United States, Canada, Latin America and the Caribbean. Larry has held several notable leadership positions prior to AWS, to include Senior Manager, Cyber Security and Compliance, First American Payment System; Global Lead, Security Operations for Alcon Corporation; and Privacy Officer for the Department of Interior, Office of Surface Mining Reclamation Enforcement
Federal Chief Security Officer, Okta
Sean Frazier has worked in cybersecurity in the public and private sector for over 20 years including projects in the DOD, IC and civilian agencies such as DHS, DISA and many others. Sean has also worked with many brand name F500 customers on security initiatives ranging from mobile security, cloud security and all things in between. Sean also enjoys music, cars, technology history and good food. Really good food.
Executive Editor, Federal News Network
Jason Miller has been executive editor of Federal News Network since 2008. Jason directs the news coverage on all federal issues. He has also produced several news series – among them on whistleblower retaliation at the SBA, the impact of the Technology Modernization Fund and the ever changing role of agency CIOs.