CISA's Associate Director for Vulnerability Management Jay Gazlay expressed concerns about the infrastructure and tools deployed when implementing a zero trust architecture.
“The current state of these infrastructures is pretty porous,” Gazlay said at GovCIO Media & Research's Zero Trust Breakfast on Thursday. “Our penetration teams…get in almost every time and exfiltrate almost any data they want to grab.”
Organizations have done a good job creating seamless user experiences for accessing data in the cloud, but that also opens them up to increased cybersecurity risks.
"I have personal concerns about bolt-on infrastructure and the security of the tools that are getting deployed. We know that the adversary will be shifting their focus to these tools because they will be so permissioned in these new environments," Gazlay said. "Anytime you're giving an identity tool or a data management tool rights to your infrastructure, those are some pretty powerful rights. We've gotta be careful about that."
When it comes to tagging and cataloging data and organizing the infrastructure for zero trust, the issue most federal agencies have run into, in Gazlay's experience, is a scaling problem.
"I can think of one federal infrastructure that … I can go in right now and support, and go 'yeah, I can get all the data organized here, I can enable for zero trust, it's going to be great.' And that was a senator's office that has 16 staff," Gazlay said. "So the scaling problem here is monumental."
Data management is critical to creating a solid foundation for zero trust. Organizations must start at the identification phase before getting to the point of protection.
"If you don't know how to structure your protection mechanisms, if you don't know how to structure the information you want to exchange, you're not going to have an idea how to budget design or protection," Gazlay said.
To preserve the user experience while maintaining a strong cybersecurity posture at the same time, technology modernization needs to happen to get the results federal agencies need.
"Some of those systems are 20, 30, 40, 45 years old, and our instruments for protecting them are pretty blunt," Gazlay said. "I mean, I think that many of us still work in agencies that have green screens, or maybe still logging into IBM mainframes. And the ability to do just in time identity access to that in a low friction way. [Technology is] just not there."