Agencies are inundated with conversations about the challenges and opportunities of implementing a zero trust strategy.
James Yeager, vice president for public sector at CrowdStrike, said those discussions have led to some myths and misunderstandings about what zero trust means for agencies.
Zero trust is not a technology issue
Yeager, for example, dispelled the myth that zero trust is just a technology problem.
“In our estimation, zero trust is not really solving a...
It’s really important that we let our employees know that this doesn’t mean we don’t trust you. It’s more that we’re living in a very ephemeral and volatile security state, and the ground underneath us is constantly shifting, and so we need to be more adaptive.
Vice President, Public Sector and Healthcare, CrowdStrike
Agencies are inundated with conversations about the challenges and opportunities of implementing a zero trust strategy.
James Yeager, vice president for public sector at CrowdStrike, said those discussions have led to some myths and misunderstandings about what zero trust means for agencies.
Yeager, for example, dispelled the myth that zero trust is just a technology problem.
“In our estimation, zero trust is not really solving a technology problem. It’s really aimed at solving a business problem and helps to ensure or preserve favorable or intended business outcomes, rather than technology use cases,” he said during Federal News Network’s Zero Trust Cyber Exchange.
Agencies should also understand that they simply can’t buy an off-the-shelf product or service to comply with zero trust mandates, Yeager said. “If you’re looking to get a zero trust product, if you’re looking to just buy zero trust, I think ultimately you’re probably asking the wrong questions,” he said.
Zero trust also doesn’t mean that agencies don’t trust their employees.
“It’s really important that we let our employees know that this doesn’t mean we don’t trust you. It’s more that we’re living in a very ephemeral and volatile security state, and the ground underneath us is constantly shifting, and so we need to be more adaptive,” Yeager said.
Zero trust doesn’t need to be hard to implement, he said, adding that many organizations have already completed much of the groundwork essential to implementing a zero trust strategy.
“Effectively, what zero trust is saying is it’s no longer trust but verify, it’s never trust and always verify. So look at the approach to IT and security that you have today and ask yourself some basic questions: Where are the gaps? Where are we going?” Yeager said. “If you’re migrating to the cloud environment, there’s some complexity and some new challenges there. Zero trust, I think, in the end aims to help that, but you need to have a very honest and humble discussion with your teams, and an assessment about where you are today, from a technology perspective. Marry that up with the business challenges, and I think that’s going to shine a light for you on your path.”
Yeager also dispelled the myth that zero trust is a new concept. Zero trust has been around for more than a decade, and zero trust guidance has evolved considerably since the origin of the concept.
The National Security Agency and Defense Department have identified critical pillars and key components of zero trust frameworks and models. The National Institute of Standards and Technology’s SP 800-207 also serves as a foundational standard for zero trust and sets a standard for agencies to achieve.
“That’s where you start to see the government apply their sphere of influence,” he said. “The government is getting their fingers on these models and starting to identify what direction we should be headed in is a really important part of the process.”
Yeager, however, said the threat landscape continues to evolve, and agencies are trying to stay ahead of the threats.
“The threat actor and the adversary community is very dynamic. They never sit still. We know that the nature of the attacks are very pervasive and kind of slippery. So what we’re looking at right now is Zero Trust 2.0,” he said.
As part of this evolving work on zero trust, NIST’s National Cybersecurity Center of Excellence recently announced an open comment period on its preliminary draft practice guide for implementing zero trust architectures.
These public-private partnerships remain a crucial element of staying ahead of cyberthreats, Yeager said.
“They know that the government never suggests that they’ve got it all figured out, and they see all the angles. They’re really looking for help, and it’s really our responsibility as an industry and analyst firms to really lean in and say, ‘Hey, here’s what we think you may have missed the first time around.’ ”
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Jory Heckman is a reporter at Federal News Network covering U.S. Postal Service, IRS, big data and technology issues.
Follow @jheckmanWFED
Vice President, Public Sector and Healthcare, CrowdStrike
