The cyberthreat landscape grows more complex every day. Agencies must move quickly to prevent the next cyberattack — especially as threats become increasingly sophisticated, as does computing where even a minor flaw can expose droves of sensitive information. With the move to cloud services, government is depending on service providers to manage their infrastructure securely through a zero trust approach to system security.
“It’s become quite evident that the traditional security measures are not sufficient,” said Leidos Health Group Vice President for Technology and Innovation Chetan Paul. “Technology has evolved, our adversaries have evolved. … The other aspect is driven by the instability in the political landscape that's driving a higher volume of threats.”
There is no one-size-fits-all approach to integrating zero trust throughout the government. Every agency has different missions and different needs — some are focused on big data processing, some are operating public-facing websites and others are migrating to the cloud. Leidos delivers specialized and tailored solutions based on the missions and operational environments of their customers. This includes data modernization, digital modernization, improved user experience and a growing digital workforce.
“It's about building a tailored roadmap, understanding that each customer is unique and being able to assess and understand their environment, get an as-is picture,” said the company's chief cybersecurity architect, Jordan Turek, who holds a doctorate in cybersecurity. “Working with the customer, you determine what their desired end state is, what the applicable government guidelines and requirements are, and merge that with organizational risk tolerances. We help to tailor that solution for them as a trusted partner and integrator.”
Zero trust is about more than just complying with federal regulations and ticking checkboxes. It's about leveraging the latest technology to create a change in mindset surrounding cybersecurity for comprehensive protection all of the government’s people, devices, apps, and data — wherever they are located.
“Having a partner who understands not only the policy side — what's the regulation that needs to be implemented as per executive orders or policy — but also how to continuously assess and improve through a lessons-learned, feedback, best-practices cycle is crucial,” Paul said.
Leidos collaborates with government and industry, using proof of concepts, pilot projects, and use cases to meet the specialized needs of each organization's system.
“One of our key cornerstone investments that brings value to our customers is our Leidos Partner Alliance Network,” Paul said. “That brings collaboration with leading industry vendors which offer best-of-technology solutions and platforms which are future-looking. … Agencies have limited budgets. They don't have the bandwidth, time or manpower to vet all of these solutions.
“We follow a detailed and rapid analysis of alternates approach to evaluate the solution options in the context of their objectives for the best fit that meets policy guidelines and maximizes reuse of their existing investment. That drives down the cost to them and accelerates the adoption.”
Leidos is also making significant investment in research and development programs and has established its Cyber Security Center of Excellence that focuses on solving specific customer needs. To this end, the company has developed customer-centric labs to test and experiment solutions in a customer-like environment to accelerate the implementation of zero trust.
“We have invested in developing solutions for customers to meet the demands for the ever-changing and evolving landscape,” Turek said. “We have built the Zero Trust Readiness Level assessment, ZTRL, which is a tailored assessment framework that works with a variety of tools, many of which are available as part of government’s security infrastructure.
“It supports identifying gaps in an organization's zero trust readiness and what their target or desired end state is based on their threat risk. … We're able to help them identify technology and solutions that can help them address the advanced level of threats, such as proactive threat assessment mitigation using technologies such as AI and machine learning.”
Robust, proactive, and continuous threat and assets monitoring backed by a dynamic security and compliance framework is a key component of zero trust, so organizations can respond quickly to breaches.
“The ability to dynamically adapt — that's what the zero trust framework is bringing,” said Venkatesh Moodliar, health group solution architect at the company. “Through the framework, we are able to provide continuous threat monitoring for our customers.”
Another cornerstone of zero trust is network segmentation and identity verification capabilities.
“When we talk about the users, the important aspect is to not trust anyone,” Moodliar said. “Whatever levels are in the organization; the premise is that everybody is a threat. They could be a CEO, they could be at any level within the organization, you essentially look at everyone with a threat pattern and you continuously validate and authenticate them through multiple means such as AI/ML on behavior patterns threat patterns and digital signatures for identity verification.”
Zero trust solutions also extend beyond identity verification capabilities to help protect an agency’s unique operation, such as targeted data security for health agencies.
“Typically, people start with thinking about users, their access, securing devices,” Paul said. “But the most forgotten and important thing is the data itself. Data, especially within health care, it's very sensitive, it's personally identifiable information or protected health information — or PII and PHI. And so, securing the data is also one of our key principles of things that we focus on in our solution of zero trust implementation.”
Leidos delivers a comprehensive approach to zero trust solutions, helping agencies adapt to the new standards in cybersecurity.
“The key pillars of our approach are focusing on the outside and inside,” Paul said. “That means securing the perimeter, all entry points — that has been more on the traditional side of cybersecurity — but also having the same policies covering the systems and devices and access controls and data that are inside of the agency’s networks.
“The second piece is offense and defense. Defense is having a solid risk management plan, your vulnerability management, your governance and security framework policies in place. Offense is proactively looking for threats and doing some penetration testing, so you are better prepared for any forward-looking threats. The last piece is workforce education, having a workforce development focus so that security is not an afterthought. That's an essential element of system solution design.”
Organizational change management is a crucial component to the success of Leidos’ approach to zero trust — integrating new technologies and a cyber-aware culture into the existing workforce.
“That's a very important factor, focusing on the change management,” Paul said. “Communication, transparency and then working with individuals on their growth areas, their target plans. Start from there, provide them resources, training, skills and communication so everyone will come around eventually.”