Zero-trust principles have encompassed cybersecurity discussions in one form or another for much of the past two decades. However, the widening adoption of the cloud, ever more sophisticated cyberattacks, and the rapid shift to employees working from anywhere, have pushed the need for zero trust architecture to top of agency IT priority lists.
At the same time, the pandemic served as a catalyst for accelerating security measures in government, say government sector cybersecurity experts during a recent IT security panel discussion.
“There are three subsets of culture that I’ve seen, thankfully, be changed positively through the pandemic that relate to cybersecurity and zero trust,” says Juliana Vida, chief strategy advisor at Splunk, and a former deputy CIO at the Pentagon.
“One of them is risk acceptance,” she says. She pointed to how the Department of Defense “put almost a million people into a remote work environment… leveraging cloud technology because they had to. They just didn’t have a choice anymore. It was [like] a burning platform — and a motivating factor…to accept certain levels of risk that maybe they wouldn’t have a year and a half ago,” she says. “And I think that’s a positive thing, because there are many other barriers in place that probably are worth reviewing.”
A second change was reflected in ways in which position — and who has priority in government organizations — are often tied to physical buildings, she says. “I think we’ve seen a leveling of the playing field, where all voices [and ideas] are equally important” with virtual meeting platforms. The pandemic helped “bust” certain social paradigms around work, she maintains.
The third change revolves around what Vida referred to as the “Big R” — requirement documentation in the government. “Yes, it’s still important. But I think what we saw in the last year was that the definition of what a requirement is, has changed. You could say that the pandemic is the requirement for having modern technology — for having agile and scalable cloud platforms — because you must modernize,” she argues. “Because if you don’t, you can’t work. To me, that’s the ultimate requirement.”
Many of those same themes hold true for Renata Spinks, acting senior information security officer and chief technology officer for the U.S. Marine Corps, who also shared her perspectives on security, zero trust and the impact of the pandemic during the panel discussion.
“I think the largest takeaway for me has been taking a look at what your risk acceptance model is. And the only way that you can truly make an assessment of where you will accept risk is knowing your landscape, understanding that terrain, and knowing where my enterprise begins and ends,” she says.
Spinks concurred with Vida about shifting social paradigms at work and the expanded notion of requirements in light of the changes agencies went through over the past year. “I’m going to add one more word, which is resilience,” she says. Agencies need to focus not only on evolving risks and requirements, but also on operational resilience to better manage the unexpected.
“I think the thought process of remote work and distributed workforce — meaning you’re working from multiple locations… because you need to — that’s why zero trust is so important in understanding those behaviors and making sure that you… have just what you need from a technology perspective,” she says.
“Now, with the emphasis on remote work and remote learning and telehealth, there’s just more of a general understanding across all sectors of American society that we need to pay attention to this. So that’s a good thing. I just hope that the momentum carries forward. It’s time to modernize and really lean into this zero-trust architecture,” she says.
“One of the biggest lessons that we’ve seen,” adds Vida, “and that I hear customers constantly talk about, is the power of cloud technology. Agencies that had already moved into the cloud — or had elements of any kind of hybrid cloud architecture — were able to pivot faster than those who didn’t. That’s because cloud provides the agility, the scale and the flexibility that is absolutely necessary to drive into a digital environment. And the cloud has the ability to manage, share, and manipulate huge volumes of data.”
Vida, like many IT advisors, cautioned against a “lift and shift” approach and instead, focusing on moving workloads in ways that capitalize on cloud-based applications and services. She also recommended that agencies continue to look at cloud platforms to break down silos, share information. “Because that’s where the power of data is — in leveraging everything that exists in an enterprise. I think we’re going to see a continuation of that because it drives efficiencies, drives economies of scale, and it just builds better partnerships,” she says.
Spinks reinforced that point by stressing the importance of establishing “the conditions for not only adopting cloud but employing cloud in your environment.”
“The Marine Corps migrated to an Office 365 environment what looked like very quickly,” she says, “but what we don’t talk a lot about is our infrastructure challenges that we had to overcome. And we spent countless hours with sometimes-planned outages and sometimes not. I would submit, even outside of the DoD — having come from Treasury and Department of Homeland Security — infrastructure across the world is just a place we’re going to have to really invest in.”
View the full on-demand discussion with Renata Spinks and Juliana Vida. And learn more about how Splunk is helping government secure their IT environments and strengthen their zero-trust architecture.