Mark Forman, DIS executive vice president, met with Mimi Geerges for the Security Matters segment of Government Matters to do a deep dive into zero trust and the process it will take to get government security to that goal. “Cyber security has always been the basis of understanding IT assets,” explains Forman. “All these legacy applications don’t really have good security built into them. It’s just not the way developers think.”
As Role Based Access Controls (RBAC) fail to stop security breaches in kill chains, IT officials from the U.S. Office of Personnel Management (OPM) recommend moving to a zero trust model, meaning that no profile will be given inherent trust. This comes after the Solar Winds attack and the apparent ability for hackers to assume the IT identities of trusted system profiles to navigate through security stop-gaps that were previously used to protect government intel.
Government agencies need to take an IT asset inventory and define their IT architecture, as a first step to zero trust security. “From the standpoint of government IT management, this is another round to get up to date on the methods for knowing your IT inventory,” Forman comments.
Forman notes the objective of any government policy reform is fiscal responsibility to the taxpayer. Defining an agency’s target-state architecture is the best way to rationally distribute IT licenses across the enterprise to prevent government over or under budgeting, he explains, but that the process could take years to refine in an agency not currently utilizing that method.
“Cyber security has never been successful in any agency where the executive administrator is not directly behind securing those systems.” Political heads of agencies have so much on their plate that this priority is not always given the time it deserves. Forman acknowledges this and encourages OMB and the White House to explain the risks to political appointees and hold them accountable for making cyber security a priority within their agency.
Watch the full Security Matters interview by following the link provided to the Government Matters website: Identifying assets is first step in implementing zero trust mandate, former federal chief information officer says | Government Matters (govmatters.tv)