With agencies undertaking a comprehensive shift in their security architectures toward a zero trust approach, cybersecurity experts are trying to make the changes more understandable for everyone in an organization.
Breaking down the concept into easy to understand areas can help security teams have conversations with noncybersecurity experts in an organization who will nonetheless be key contributors in the transition to zero trust, said Dan Carroll, field chief technology officer for cybersecurity at Dell Technologies...
Every computer, every network device, all of it has an identity that has to be accounted for and has to be authorized to do things on the network that it only needs to do.
Field CTO for Cybersecurity, Dell Technologies Federal Systems
With agencies undertaking a comprehensive shift in their security architectures toward a zero trust approach, cybersecurity experts are trying to make the changes more understandable for everyone in an organization.
Breaking down the concept into easy to understand areas can help security teams have conversations with noncybersecurity experts in an organization who will nonetheless be key contributors in the transition to zero trust, said Dan Carroll, field chief technology officer for cybersecurity at Dell Technologies Federal Systems.
“What has been great is I can have a discussion on zero trust with anybody, from someone in the CTO or CIO space, but also other organizations that really have a lot of influence but don’t realize it, like procurement,” Carroll said during Federal News Network’s Zero Trust Cyber Exchange. “Procurement is a big buyer of IT, but they aren’t necessarily IT engineering people. So helping them understand things that they should think about when looking at purchasing has become kind of critical.”
The Office of Management and Budget’s zero trust strategy recognizes the dramatic paradigm shift the security model represents for most agencies. “This process will be a journey for the federal government, and there will be learning and adjustments along the way as agencies adapt to new practices and technologies,” the strategy states.
The strategy rests on the pillar model outlined by the Cybersecurity and Infrastructure Security Agency, which lays out five complementary areas of effort: identity, devices, networks, applications and workloads, and data. CISA’s zero trust model also describes three themes that cut across the five pillars: visibility and analytics, automation and orchestration, and governance.
Carroll said he often explains the concept of zero trust by explaining a use case most people can understand: accessing work email on their cell phones.
“I take my cell phone, and I’ll go, ‘I have a cell phone. I am a user. I use my user identity belonging to my cell phone,’ ” he said. “I may use a virtual private network to go across the network to access my email client. And that gives me access to my email, which is data.”
In that simple example, Carroll hits on all of the pillars. “This helps illustrate to them how people, regardless of where they are in the organization or in the enterprise network, play a role in protecting data,” he said. “We’re seeing more and more of these conversations. And being able to break it down for them and help them with that messaging has been critical.”
That same example also teases out one of the more challenging ideas in implementing a zero trust approach: Identity extends beyond a human user’s credentials to the device as well.
“My cell phone is a device. It’s unique to me. It has its own machine identity that needs authorization to get on the network — or it should,” he said. “Every other thing connected to your network should be the same way. Every computer, every network device, all of it has an identity that has to be accounted for and has to be authorized to do things on the network that it only needs to do to operate and to contribute to the operations and success of the organization.”
The move to using machine identity can also help drive security conversations toward application and service identity as well, he said.
“When you hear about some of the different exploits that come out, when applications and services start acting in ways that they’re not supposed to, they should have their own identity to be able to function on the network and be allowed to access the data or systems they need to work, and then should be monitored to make sure they’re not trying to do anything they shouldn’t be doing,” Carroll said.
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Field CTO for Cybersecurity, Dell Technologies Federal Systems
