Agencies are speeding up their adoption of zero-trust security, but legacy applications, compliance restrictions, politics and cultural issues all continue to slow larger ones, in particular, down.
The National Institute of Standards and Technology defines zero trust as the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of IT assets.
A Pulse Secure survey of 413 IT and cyber professionals — 45 of them in government — released earlier this month found 4% of enterprises have begun adopting zero trust and 33% plan to within nine months. But another 36% of enterprises will take 10 months or longer, and 28% had no plans at all citing legacy apps and compliance restrictions.
“I see every agency wanting to do the right thing,” Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop in January. “I see a lot of the agencies that have been a little more forward-leaning on cloud and mobile being the first movers.”
Smaller, more nimble agencies like offices of inspectors general that have outsourced everything on the compute side to Google or Microsoft’s cloud are better situated to create an elastic security model, Frazier said.
Many agencies are still getting up to speed on network visibility and haven’t done enough on the identity and access management side of the zero-trust equation, said Scott Gordon, chief marketing officer at Pulse Secure.
That doesn’t mean they lack access controls, given government’s strong compliance environment, just that those pockets aren’t coordinated, Gordon said.
“Part of the challenge is you have a lot of applications and security infrastructure that is based on more perimeter-based security controls, and there will be degrees of migration to a zero-trust network model,” Gordon said. “And that will take time and architectural considerations.”
Many Department of Defense agencies still have perimeter-based security models. But the Air Force established AFWERX in 2017 and other military branches zero-trust pilots and proofs of concept in Colorado Springs, Colorado, that could take five years to fully realize, Frazier said.
Given the cloud’s importance to zero trust adoption, the protest of DOD’s Joint Enterprise Defense Infrastructure (JEDI) cloud contract throws another wrench in the works.
“It will slow things down a little bit, but I also think that DOD has — technology has never been the slow part; it’s always been acquisition — been working through these things called other transaction authorities,” Frazier said. “Rather than going through this full-blown, peer process, they can move a little more nimbly, so I think that will offset some of the slowdown on the cloud side.”
Also hastening agencies’ move to zero trust is the culture shift away from security as a “bolt-on” for an IT-led product to security-led development, said Mike Hanley, vice president of security at Duo Security.
Security personnel continue to be involved in the late stages of development to determine if a product is safe enough to deploy — an “adversarial” process that creates “a lot” of rework, Hanley said.
“When you’re setting up those application teams to make good security decisions early and at the cheapest possible point in the exercise, you pivot that security function from being seen as a cost center, slowdown and dragshoot to an enabler, accelerator and contributing directly to the business outcome,” Hanley said.