DOD Zeros in on Culture For Zero Trust Buy-In

Identity management and culture are two of the biggest challenges facing federal agencies as they deploy zero-trust architectures.

At GovCIO Media & Research’s CyberScape: ID event, Navy CTO Jane Rathbun called out identity management as key to a robust zero trust framework.

The COVID-19 pandemic presented the Navy with an opportunity to begin leveraging a zero-trust framework through implementation of Microsoft Office 365, she said. The old system had multiple security, management and latency problems, which prompted the Navy to pivot to a new one designed with zero trust in mind.

Protecting data hasn’t always been a major focus for the Navy, but it will be the new priority under an identity-driven, zero trust approach to security.

“We have always been about protecting the perimeters,” Rathbun said during the event. “Protecting the data — it hasn’t been the focus. That pivot to protecting data, tagging data and knowing who should have access to that data — those are going to be the big challenges.”

Angelica Phaneuf, CISO at the Army Software Factory, said identity management is the foundation for zero trust architecture, but it can be challenging in the DOD environment, which requires zero trust interoperability.

“Finding an identity solution to a centralized identity that is approved and authorized and is flexible enough for a true zero trust identity management is extremely difficult,” she said.

Identity, credential and access management (ICAM) solutions are the core of a zero trust structure.

“ICAM doesn’t work in isolation, you can come up with a strong ICAM solution, but without things like policy enforcement points, you haven’t gotten across the interim finish line for zero trust,” said Fortinet Federal CISO and Vice President Jim Richberg at the event.

Gerald Caron, CIO of the Department of Health and Human Services Office of the Inspector General, echoed Richberg’s comments emphasizing identity as the primary pillar of zero trust.

“Identity is about right information of the right people at the right time,” Caron said. “We have to be judicious about it, we rely on data every day to make decisions, and that’s what we are trying to protect at the end of the day.”

Rathbun believes the Navy’s federated approach to identity solutions has played a critical role in helping prepare the Navy for zero trust.

“When it comes to executing identity and managing identity and managing identity solutions for our customer base, we need to federate that down to the service level so they have the freedom of maneuverability for their mission sets,” Rathbun said.

The Army’s digital transformation strategy, led by CIO Raj Iyer, has been vital for helping the Army pivot to zero trust.

Paul Puckett, director of the Army’s Enterprise Cloud Management Agency (ECMA), said the group has been a pruning ground for what the Army’s zero-trust framework needs to look like.

“[We’re] looking at a software-defined perimeter that not only enforces critical components of zero trust, but also allows us to expand how we connect globally especially with a distributed workforce,” Puckett said during the event. “How do we start to get more insurances when it comes to the people and devices accessing the applications and services in a secure manner from unknown and untrusted networks and having the control when it comes to data and services being applied as an enterprise capability within those applications brokering real-time secured access to information?”

The agency’s zero trust pilot, Project Drawbridge, takes the old “castle-and-moat” approach to cybersecurity and updates it within the context of the cloud.

“Taking what is learned in Project Drawbridge and implementing that as the core components of the enterprise cloud environment that we call cARMY,” Puckett said. “Enabling this transitional architecture that moves from network perimeter security model that we have today and move toward a cloud app to security edge to service edge model when it comes to distributed users and systems accessing data in a secure manner globally.”

The importance of culture when implementing zero trust continues to be a high priority throughout DOD. Phaneuf feels culture is critical to ensuring zero trust is utilized and trusted by the DOD community in an interoperable way.

“When you can affect change in the culture, you can affect the change of how the entire community operates, ultimately allowing you to impact new solutions and new technology with immediate buy-in from your community,” Phanuef said.

Many agencies have discovered that culture and strategy with identity solutions can help move the needle on federal cybersecurity.

“We are pivoting from the concept cybersecurity to the concept of cyber readiness, where it’s a continuum where every day you earn your right to operate because your capability is cybersecure and you’ve done the things you need to do,” Rathbun said. “In the Navy, we have a CISO office, acquisition organization and CIO organization, and everyone has to work together to articulate that North Star of the operating culture we want to create and then take that and define the policies, process changes, role changes and articulate this to industry as our strategic partner.”