The best listening experience is in Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The move to implement an architecture known as zero trust in agency information technology networks has long been under construction. Now the Biden administration has specifically called for it in a recent cybersecurity executive order. Federal Drive with Tom Temin discussed what zero trust really is and the effect it will have on IT spending patterns with Forrester Research security and risk analyst Steve Turner.
Tom available: Steve, it’s good to have you on top.
Steve Turner: Yes, a pleasure to be here, Tom.
Tom available: And let’s start at the beginning, you and I know all about risk management, but maybe the average listener doesn’t, so just briefly review what the hell it is.
Steve Turner: Yes, so risk management is about figuring out what your organization is willing to accept to do business. And specifically in the federal sector, it’s about accepting what risks will allow them to move forward with the different missions and goals that are rightly set.
Tom available: Very well, then, in a zero-confidence IT configuration, what does this mean for a network?
Steve Turner: At Forrester, the kind of succinct definition we have for zero trust is that it is a security model that only grants access to a resource through continuous verification and application that the session is secure, authenticated, and authorized. In a nutshell, this means that we never trust, but that we always check who or what has access to something at the end of the day.
Tom available: Even the most reliable internal users go through the same scheme.
Steve Turner: Absolutely. Because we have understood a little over time, and very recently, that we cannot trust what is inside or outside. So, after all, we can’t trust anything. And we have to get that trust over time, checking that someone is who they say they are, because with all the infractions that are happening out there, it’s necessary. The old model of doing things doesn’t work as evidenced by what the Biden administration will put here.
Tom available: Now, many agencies have already stated that they have been working on zero trust for a few years now. So this kind of command fills in what has happened in some sense. And what we hear over and over again is that zero trust is not a product you buy as a cybersecurity tool, but an approach. So, looking at spending patterns in cybernetics, what does Forrester find that the executive order could change in expected spending otherwise?
Steve Turner: Yes. So in this we are doing a lot of active research now. But historically, many larger private sector organizations, when they have implemented a zero-confidence approach, have seen their spending stay flat, as they use many of the existing tools they currently have to implement them. that. Or, in fact, they have seen how costs have been reduced in many of the tools they use, as they have consolidated many of the technologies and tools they use to achieve zero trust. The important thing I want to point out, though, is a bit of that initial rise, as many organizations and the federal government use consultants or other industry experts to get to that launch point. . And after this launch point, I totally hope that over time, through the consolidation of different technologies and tools that spending entails, I wouldn’t say we expect a significant increase in many organizations, especially as in the public sector.
Tom available: We spoke with Steve Turner, a security and risk analyst at Forrester Research. And looking specifically at the private sector, what have you seen in the patterns that exist with respect to how zero trust and some of these related technologies affect their spending patterns? Have you seen this reduction?
Steve Turner: Yes, therefore, in the private sector, for larger organizations, we have seen that spending on tools and technologies is maintained or reduced. Now, when we talk about this kind of middle sector, like small and medium businesses and all that, we usually see an increase in spending because they don’t have the capabilities or they don’t have the tools and technologies to get visibility and compliance that we it matters when we talk about implementing zero trust. So definitely large organizations over time have just accumulated this vast portfolio of tools that do many similar or equal things, so they have many opportunities for consolidation. And we hope to see the same thing in the federal government, because some of our previous research finds that there are a lot of similar tools, which accumulate a lot of tools across the government and only use 20 or 30% of their functions. of each of these tools. So they spend exorbitant money on a tool they don’t even use at all.
Tom available: And in the case of small or independent federal agencies, they don’t have to go it alone because they have the Security and Cybersecurity Agency that offers tools and they have other types of big sister agencies that they can glorify. be like a small independent company that comes out on its own.
Steve Turner: I mean, the best thing, especially with the executive order, and with CISA integrating more and more into what the different agencies do, allows all these people not to participate alone and allowing them to have this almost consulting as an arm to be able to help them on their journey and potentially use the existing resources that are there. So I’m excited because I think CISA is ultimately the center and it’s the kind of central cybersecurity organization for the federal government. I hope this heals more in national security agencies, but time will tell.
Tom available: For sure. And, looking at the executive order and the mention of zero trust, what do you see the government should do next? And if someone is still a zero-confidence beginner, what should they do?
Steve Turner: Seeing the executive order and we post a blog post about it, but the executive order reads more like a laundry list of different technologies and tools, right. They name reference architectures for buildings within each of the different agencies and present and review them. I hope that the next thing that is achieved with the executive order is the real budget and resources to implement all this, because I have the feeling that at the end of the day, with the deadlines really set by the executive order, they will only be able to achieve so much. Therefore, I believe that many agencies will request extensions to meet the requirements of the executive order. But I think at the end of the day, I will get an assessment of where they are with all the tools and technologies they have. And then understanding how this fits into the reference architecture they are building is so incredibly key. And I hope that this is what emerges from the results of what this executive order has presented.
Tom available: And this exercise could reveal or surface many tools and products and perhaps services they don’t use, of which they could only get rid of and save some money.
Steve Turner: Absolutely. Either they could go in that direction, or they can lean more into a tool that perhaps fills many gaps or capabilities they need to achieve zero confidence without having to buy something that at the end of the day, he said. before Tom, and we have defended him so strongly, that zero confidence cannot be bought. So people and processes need to change with this totally new way of doing things. And then go back to technology to enable all of that.
Tom available: Could some updates to the network technology itself, such as those provided for in the General Services Administration’s EIS contract? Could they foster the ability to gain zero trust? Because you have a more modern network to begin with, your topology is new.
Steve Turner: Yes, I think that’s a really important point. I mean, there have been so many things in the background before the executive order that have created or laid the groundwork for that executive order, you could say, finally, that we are moving toward zero trust. As you mentioned earlier, Tom, there are many agencies that are already moving toward zero trust. And this helped give them the reinforcement, support and foundation to be able to ask for more resources, more budget, as well as lean on other monetization projects that are already underway. Something that is really interesting and that I think a lot of people don’t realize was that there was a call to the executive order when it comes to putting EDR, the possibility of having visibility between agencies and doing centralized threat hunting. But previously, in one of the defense bills passed recently, CISA had the authority to conduct centralized threat hunts at all of these agencies. Again, just laying those groundwork over time and finally just shouting what kind of things need to be done. I think this will be an ongoing thing we see before. More and more types of legislation are being passed, in order to explain that it says this is what we want to do, but they have already laid the groundwork for this inauguration.
Tom available: Steve Turner is a safety and risk analyst at Forrester Research. Thank you so much for joining me.
Steve Turner: Absolutely Tom, thank you so much for having me.