The public sector is facing big questions when it comes to cybersecurity approaches. What can be done to reduce vulnerabilities and mitigate the spread of breaches? What strategies are key to enhancing cyber resilience amidst a constantly changing landscape of threats?
To find out, Gary Barlet, Federal Field CTO at Illumio, recently joined government cybersecurity experts Dr. Mark A. Stanley, NASA’s agency lead for Zero Trust, and Gerald J. Caron, the International Trade Administration’s Chief Information Officer, on GovExec TV to discuss application segmentation and its role in Zero Trust architecture for the public sector.
Continue reading to get the six key recommendations from their discussion on implementing Zero Trust and application segmentation.
1. Zero Trust initiatives should be the priority right now
To begin, Dr. Stanley spoke on his role with NASA and the landscape of Zero Trust policy he found upon arrival.
“When I got to NASA, I was totally blown away” he said. “These folks were already thinking about Zero Trust and how we were going to get there long before the executive order even came out. They already had buy-in and tons of support from the executive leadership team.”
Early on in his tenure at NASA, he was appointed as the NASA Zero Trust Lead. He’s helped to add Zero Trust as one of NASA's foundational elements for digital transformation.
“From a priorities perspective, anything I can do to help move Zero Trust forward has taken up the majority of our cycles,” he explained.
2. Visibility is key to successfully implementing a Zero Trust strategy
Barlet’s response addressed the core thinking that goes hand-in-hand with Zero Trust strategy and application segmentation.
“Zero Trust is a very broad term. The first thing that we think is important for security is understanding how information is actually flowing in your enterprise,” Barlet said.
Barlet recommended organizations working towards Zero Trust start with visibility. And this isn’t just a network map. Today’s hybrid networks are perimeter-less and scattered. Security teams must keep track of how applications interact on a granular level, and Barlet explains that getting visibility into application communication flows is critical to understanding how the application is functioning. Once visibility is established, security teams can start drawing boundaries around those applications to segment the network.
“If something happens, the reality is it’s not a matter of if you’re going to get compromised but when. When that compromise occurs, what’s next?” Barlet said.
Learn how Illumio's application dependency map delivers visibility across your hybrid IT environment here.
3. If you’re not working on Zero Trust now, you’re behind
Barlet went on to explain the pitfalls for enterprises that are behind in adopting Zero Trust.
“So many enterprises today are wide open,” he said. “Once an adversary gets a foothold, they have an unfettered ability to spread across your enterprise.”
Adversaries use lateral movement to spread from one part of the environment to another. If those environments are closed off from each other, breaches can’t spread. This is achieved with segmentation, also called Zero Trust Segmentation.
“With segmentation, you see all these various components and draw a ring application by application,” Barlet said. “So once that gets compromised, it can be contained, and it can’t infect other applications.”
4. Zero Trust initiatives require cross-functional collaboration
To reach a level of Zero Trust adoption organizations can be comfortable with, it’s important to adopt a collaborative mindset. Dr. Stanley compared the mindset at NASA to their similar approach to scientific discovery, where NASA adopts a mandate to share research and findings with the world for the betterment of humanity.
“We on the federal side need to start thinking about how we can work together,” Dr. Stanley said. “I’m a firm believer that cybersecurity is a team sport.”
Caron continued Dr. Stanley’s sentiment, illustrating the pitfalls of the old approach to collaboration in cybersecurity.
“You have these silos of excellence, but all of these groups need to work together to attain true Zero Trust,” Caron explained. “In the old days, you’d have an incident and do a round robin. You’d keep circling until you found the issue.”
But according to Barlet, “You can’t do this stuff manually anymore. It’s impossible to keep up with the spread of technology, the spread of data, and the spread of our users. Technology is the only way we can hope to stay ahead of or equal to that curve and that change.
5. Zero Trust is a strategy, not a prescription
As the webinar continued, the three experts explored another important side of government cybersecurity strategy – compliance.
Caron opened the discussion making a key distinction between compliance and effectiveness: “Those are two very different words with two different meanings. Compliance can mean something like, ‘I have a system, so I must provide authentication.’ Username and password could be compliant, but it isn’t effective."
In other words, just because something is a requirement for compliance doesn’t mean that it simultaneously achieves effectiveness. Caron encourages organizations to see Zero Trust as an effort to being more effective in addition to achieving compliance requirements.
“Compliance will fall into place as you become effective,” Caron said. “That’s the great thing I applaud about the Zero Trust strategy and the executive order that mentions Zero Trust. It’s moving us towards being more effective. It’s a strategy, not a prescription.”
6. Take incremental steps towards Zero Trust
To close out, Barlet and Dr. Stanley spoke on the best practices for Zero Trust adoption in enterprises.
According to Barlet, “The most effective organizations take it one step at a time.”
He explained that too many agencies assume they’ll be able to go from zero to 100 percent Zero Trust enforcement. Then, when they don’t achieve the goal, the initiative loses steam or is considered too difficult.
"The reality is that you're never going to get to 100 percent,” Gary said. “In the world that we live in, trying to get to 100 percent of anything is an unattainable goal.”
Instead, Barlet encourages organizations to work towards Zero Trust in pieces. By building Zero Trust incrementally, agencies can achieve quick wins and increase defenses, security, and protection over time.
“Barlet was absolutely spot on” Dr. Stanley chimed in. “You’ve got to address all of the pillars of Zero Trust. You have to be able to take advantage of the protection that it’s offering for your applications and data, even as you make those incremental improvements to your infrastructure.”
Learn more about how Illumio can help secure your government agency here.