The cybersecurity threat landscape evolves at a breakneck pace, and staying ahead of adversaries is a near-impossible feat for even the most agile security firms. That challenge is compounded for large, heavily regulated, organizations. As a Security Architect at Aquia, and a Zero Trust SME for one of the nation’s largest federal agencies, I am constantly struck by the challenges facing our most critical federal systems as they work to adapt to a constantly evolving cyber threat landscape. Consider a large federal agency, with a massive employee population, that embraces a hybrid cloud model designed to meet its unique set of business requirements. Processing sensitive information for stakeholders across the country means that this agency faces the entire scope of security challenges, from protecting citizen identity data to securing help desk services. Adopting contemporary security best-practices like Zero Trust micro-segmentation, can minimize the risk of this agency leaking information during a cyber attack. Seems like a no-brainer. Implementing microsegmentation, however, requires the logical separation of nearly every aspect of an information system, and that can feel daunting at best for enterprises of scale-there’s a lot of data and real estate to consider. Where does this agency even start?
That challenge of adoption has plagued our nation’s federal agencies for years. Addressing this challenge was the focus of this month’s Adapt Summit: “Reimagining Our Federal Cyber Future’’ hosted by Axonius Federal. Adapt centered around public and private sector insights into the mounting adversarial abilities confronting US federal agencies, and how those agencies can adapt. How could strategic implementation of Zero Trust and other cutting edge security frameworks across federal operations help secure our future security? The prevailing message was that US federal agencies are being outpaced by adversaries ranging from private actors to nation-state sanctioned attackers, and immediate changes to how these agencies address adoption of security frameworks are needed to stave off disaster. With limited resources and a nearly inexhaustible threat, our nation’s federal security systems must adapt, and not in the ways you might traditionally expect.
Gurpreet Bhatia, The Department of Defense’s (DoD) Principal Director for Cybersecurity and Deputy CISO, set the tone for the day in his keynote by addressing the importance of Zero Trust to mission success. The DoD’s roadmap is aggressive, calling for full Zero Trust Security deployment by 2027. To meet that aggressive goal, Bhatia highlighted the Defense Information Systems Agency (DISA) helmed Thunderdome Initiative. This initiative, a Zero Trust network access architecture utilizing commercial technologies such as Secure Access Service Edge (SASE), Software Defined-Wide Area Networks/Customer Edge Security Stack (CESS), and Application Security Stacks, has successfully proven to enhance security and network performance. Thunderdome exemplifies a shifting DoD emphasis on embracing the power of enterprise technology to transform federal cybersecurity. Bhatia also brought focus to the DoD’s commitment to share out “open-source” Zero Trust best practice guidelines, like their hotly anticipated mapping of the NIST 800-53 controls against the five pillars of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (Identity, Devices, Networks, Applications and Workloads, and Data).
And Bhatia was on to something. There has long been a divide between the public and private sectors of cybersecurity, but here was a federal employee, from the DoD of all agencies, striking a dramatically different tune. Bhatia emphasized that Zero Trust Leaders’ superpower is their ability to openly partner with both federal and commercial stakeholders to advance Zero Trust Security. By doing so, these leaders from both the public and private sectors can focus beyond case-by-case implementation to establish a holistic and centralized national strategy for Zero Trust best practices. The unique role Zero Trust Leaders play in fostering high-speed public-private partnerships means they can focus on embracing bleeding-edge technology, helping them combat rapidly evolving adversarial threats. These partnerships can also enhance cloud integrations, allowing legacy systems to more seamlessly embrace modernization through hybrid-cloud or cloud-native architecture, resulting in much-needed agility for federal infrastructures. These integrations can also enable Zero Trust implementations like Software Defined Perimeter and Zero Trust Native Architecture, which rely on cloud-based infrastructure to dynamically provision, manage, and scale security controls and access protocols via centralized cloud services. Embracing the private sector’s impact on public security practices also creates space for a centralized national approach to Zero Trust. Unified and standardized implementation and regulation methodologies offer clarity to this complex security framework, saving time and resources. The mounting threats challenging our nation’s federal agencies requires a cohesive strategy that integrates various components of Zero Trust to ensure robust security measures that align with international standards. Embracing partnerships, standardization, and open collaboration could be the key in combating those threats.
Hearing these insights from a federal perspective, that has not traditionally rapidly-embraced the significance of private-sector contributions and community-based solutions, seemed like a remarkable shift.
Bhatia wasn’t the only federal leader addressing some of the biggest cybersecurity concerns in the federal space by advocating for embracing enterprise solutions and a holistic approach to Zero Trust security. Richard Grabowski, Deputy Program Manager of CISA’s Continuous Diagnostics and Mitigation (CDM) program, added to the conversation surrounding modernization and agility by highlighting the evolution of CISA’s cybersecurity measures. CISA’s guidance is shifting from a rigid compliance-based framework, towards more adaptable guidance. CISA’s new approach stresses the importance of evolving software asset management to better address current cybersecurity threats within constrained budgets. That focus on adaptability is critical to effectively manage software assets, particularly when addressing Zero Trust in the Applications and Workloads pillar. It was exciting to hear a government partner talk about the transformative power of leveraging open source security and embrace the need for software bills of materials (SBOMs), both being critical components for Zero Trust visibility and analytics and supply chain risk management. We’ve all read the mandates and executive orders calling for improved cybersecurity practices, but here were real government leaders advocating for collaboration with the enterprise space to actually get things done.
The theme surrounding the value of industry, and specifically enterprise software assets, was taken a step further by Kim Pugh, the Director for Digital Transformation Center within the U.S. Department of Veterans Affairs (VA’s) Office of Information Technology. Pugh outlined the importance of upskilling within the VA to maximize the effective use of Software-as-a-Service (SaaS) products, sharing details of the “Software Factory” initiative that trains IT staff to integrate SaaS components securely and efficiently, bringing the VA to the forefront of leveraging enterprise solutions to galvanize and transform the agility of a federal agency. Aquia has been actively working to improve federal agility through our SaaS Governance initiative, which allows our federal partners to leverage cutting-edge software technologies to quickly and securely transform government work. Here was yet another federal agency advocating for digital transformation driven by enterprise expertise.
What had gotten into all these Feds? It was like, suddenly, everyone in the conference room had drunk the Kool-aid and was touting collaboration, centralization, and a holistic approach to ensuring top-down security.
Building on these discussions, Bhatia’s insights further illustrate a vision where Zero Trust becomes an integral component of all federal operations, emphasizing interoperability and standardized protocols. This forward-looking approach promises to enhance our security defenses, improve threat detection, and achieve a more compliant federal infrastructure. Central to this strategy is the adoption of a data-centric security model that emphasizes continuous validation of both user identity and device integrity within a framework of least privilege access strategy. This model is crucial for maintaining the integrity and security of our federal operations against emerging threats.
Reflecting on the discussions at Axonius Adapt and looking toward the future, I see critical steps for advancing Zero Trust security within the federal landscape, and a welcomed and long-overdue emphasis on the transformative power of community collaboration. Emphasizing the integration of various technological platforms and federal agencies is essential to navigate the complexities of adopting complicated security frameworks like Zero Trust. By fostering a unified security environment and a shared security language that effectively incorporates Zero Trust principles, we can build a stronger and more efficient defense mechanism. This should involve collaborative efforts within and between agencies to standardize Zero Trust approaches, coupled with leveraging public-private partnerships to harness private sector innovations. These steps are vital for deploying scalable and adaptable Zero Trust architectures that can adapt swiftly to the evolving threat landscape. Hearing these same opinions reflected from federal leaders at Adapt was a welcome change, and one that gets me excited to continue to collaborate with our federal partners to see what the future holds for Zero Trust.
At Aquia, our goal is to help everyone stay ahead in today’s challenging cybersecurity landscape. Check out Aquia Tributary, or the Aquia LinkedIn page to follow along as we dig into all things Zero Trust. If you are interested in learning more about how we have championed the creation and implementation of Zero Trust policies and maturity models on the federal level, or would like to discuss how we can help you on your Zero Trust journey, contact us today.
Mack Wartenberger is a mid-level Security Architect with Aquia. LinkedIn.
If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.