Federal CIO Suzette Kent says the government is making progress on the “concepts” of zero-trust architecture.
Kent spoke on Tuesday at the Zero Trust Security Summit at the Spy Museum — a “cool place” she noted, from which to consider the importance of identity and information management. Her remarks focused on the White House’s view of how well federal agencies are implementing the component pieces of zero trust, including multi-factor authentication, mobile security, identity management and more.
“There is successful alignment in the concepts … of where we need to go with advanced identity management, strong network foundations, use of data matched to the mission and the function of that individual,” she said at the event, which was presented by Duo Security and produced by FedScoop and CyberScoop.
That said, agencies are at different stages in the journey, often depending on their legacy IT environments. “We’re making good progress in areas, but there’s more” to do Kent said. Zero-trust networks essentially assume that any activity inside the perimeter can’t automatically be trusted, and so users and devices must be verified when they connect.
But zero trust isn’t just about technology, Kent said. It’s also about organizational structure. It requires a thorough understanding of who or what is accessing a given network, as well as why they are accessing it and what they need from it. Security controls, under zero trust, are then based upon this understanding.
“It’s no easy feat for us to define all of those different types of access and relationships and individual roles, and to keep that current. But it’s mandatory,” she said. “It’s mandatory as we go forward.” As such, the government needs to “build the capability” to understand organizational roles and what kind of access those roles require, Kent said. This isn’t a technical capability, per se — it’s a “different kind of workforce challenge.”