The Federal Deposit Insurance Corp. is shrinking its security perimeter as it moves to a zero-trust environment that protects agency data while at the same time opening up the network.
Following the Office of Personnel Management data breach in 2015, agencies like the Department of the Interior began collaborating internally to develop zero-trust architecture and test the requisite tech, said Sylvia Burns, who was CIO of the department at the time.
Now Burns is the deputy chief information officer for enterprise strategy at FDIC, where the focus is on removing the perimeter from around the entire organization in favor of smaller, “micro-perimeters” around only the most valuable data.
“I think everybody has had this false sense of security about the perimeter,” Burns said during a panel discussion at the Billington CyberSecurity Summit on Thursday. “It’s false because a simple phishing event can compromise your entire network.”
By moving to micro-perimeters and opening networks, agencies allow local offices flexibility when choosing the best-quality broadband near them — rather than forcing them onto the corporate network, Burns said.
But first FDIC had to classify its data, which was “sprawling all over the place,” said Burns, who doubles as the agency’s interim chief data officer.
Data exists in data centers and with remote employees on their mobile devices, but also with software-as-a-service solutions agencies are increasingly moving to the cloud
“What we don’t want to get into is a situation where you’re going to buy different technologies to protect all those systems,” said Rick Howard, chief security officer at Palo Alto Networks. “You want a unified system with one policy.”
Less technology that’s better integrated and fits an agency’s use case is preferable — so long as vendors comply with Federal Risk and Authorization Management Program standards, said Michael Friedrich, vice president of engineering and technical operations at Cyxtera Federal Group.
A next-generation firewall can do 80 percent of the work by setting simple rules, like guest networks can’t connect to internal networks and developers can’t access classified databases, Howard said.
But zero-trust policies must be set by executive leadership and not “the InfoSec team buried in the basement of the Pentagon,” he added.
Identity management policies tend to be agencies’ biggest weakness, Friedrich said.
The Capital One data breach earlier in 2019 occurred because a former software engineer at Amazon Web Services, which provided cloud services to the bank, still had access to the network and understood the architecture, he said.
When the Office of Management and Budget released a draft of its zero-trust guidance earlier this year, industry pointed out that it failed to address a bring-your-own-device policy for employees.
“I have to define a standard to know what my minimum acceptable device is and that it is linked to you,” Friedrich said. “That’s not happening right now, and that is an exploit that is going to lead to another U.S. version of Capital One because that device now has rogue access. And if we keep using [virtual private networks] as the way to connect, you’ve enabled technology a backdoor, and guess what? The cookie crumbs are there you can follow.”