The Census Bureau needs time to move to a zero-trust security architecture because it’s still in the early stages of cloud migration, said Chief Information Security Officer Beau Houser.
While the bureau uses cloud services, it can’t abandon its wide network perimeter in favor of smaller ones around particular IT assets until more of those assets are in the cloud, Houser said during the Federal Zero Trust Virtual Summit on Tuesday.
A hybrid model mixing on-premise and private and third-party cloud services is required, and Houser hopes to get to a point where the bureau can share its data with researchers more easily.
“We feel like zero trust will also give us a lot of flexibility with customers who want to do different types of research projects,” Houser said. “So we can be very flexible with what the customer is doing and still maintain a strong security posture around the data.”
The bureau still uses a virtual private network as its primary remote access method. A VPN serves as the point at which the agency enforces security, but that’s not always helpful if an attacker has acquired an employee’s username and password through a phishing attack. Once the attacker is on the network, it becomes very difficult to distinguish their movements from legitimate traffic, Houser said.
“I do believe that zero trust is going to offer a new paradigm for cybersecurity that I hope begins to level the playing field with the attackers because I feel the attackers still have the advantage on us,” Houser said. “And I’m optimistic that zero trust will help us balance that out.”
Once the bureau adopts zero-trust security, a breach will be assumed and all data requests will be treated with the same level of scrutiny. That will happen when migration shifts in favor of the cloud, at which point users will want to connect directly to it — instead of using a VPN, Houser said.
But agencies can’t make the transition overnight.
“It’s going to take a lot of research and education, so go look at what other people have done before you,” said Sean Frazier, advisory CISO of federal at Duo Security. “Look at Google, look at Intel, look at Microsoft, look at Cisco, but also talk to your peers.”
Without a VPN, the bureau will need to choose new policy enforcement points for securing applications and data. That will require a level of visibility across devices and users and use of metadata the agency currently lacks, Houser said.
Further cloud migration will also require a culture shift on the part of bureau users, one that will eventually help them embrace zero trust.
“I still see in many federal agencies the tendency to go with the traditional model when it comes to technology management and technology delivery, and so it’s really hard to help people imagine things differently,” Houser said. “And that’s why I’m a big supporter of cloud because I really feel like it helps us to work through that mental exercise of imagining a different approach across the board.”