Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

The Interdependency of Identity Management and Zero Trust Architecture

Together, advanced security and identification verification methods can greatly elevate cyber security posture, experts say.
By Kimberly Underwood
Once more of an operational and end-user experience tool, identity management has evolved to be a core aspect of cybersecurity, especially as part of zero trust architecture, say panelists Wednesday at the FedID conference.
Once more of an operational and end-user experience tool, identity management has evolved to be a core aspect of cybersecurity, especially as part of zero trust architecture, say panelists Wednesday at the FedID conference.

The need to move away from a perimeter-based cybersecurity model—the moat and castle approach—to a cloud-enabled zero trust architecture—an underlying framework that essentially is like placing a security door in front of each and every application—is apparent. Similarly, identity, once mostly an operational and user experience-driven technology, has evolved to be a core aspect of cybersecurity, verifying a user in a network or activity, said Frank Briguglio, strategist, Global Public Sector, SailPoint.

Zero trust architecture, especially when paired with innovative identity verification, can offer a higher level of cybersecurity through limited per-session access, continuous monitoring, orchestration tools, endpoint security, and encryption and monitoring of network conversations.

“Billions of identities and data have been compromised, and it is clear that traditional security is not solving the problem,” he said. “What this shows us is that the perimeter as we know it is dead. And the ways into the underbelly of an organization are only growing. We have new users, new infrastructure, new systems, application program interfaces (APIs), robotic process automation (RPAs) and more data. Identity has become the new attack vector.”

Briguglio moderated a panel session on Wednesday as part of the Federal Identity Virtual Collaboration event. He was joined by Steven Hernandez, chief information security officer (CISO), U.S. Department of Education; Stephen Kovac, vice president, Global Government, and chief compliance officer, Zscaler; Christopher McCoy, chief enterprise architect, Federal Deposit Insurance Corporation (FDIC); and Joe Stuntz, director, Federal and Platform, Virtru. The conference, known as FedID, is being held virtually from September 8-11.  

At the FDIC, McCoy sees zero trust as a business enabler and a way to serve the public better. “What is driving zero trust across the federal government as a necessity moving forward, is the need to modernize aging information systems and related infrastructure, and the use of cloud,” he explained.

McCoy recommended that federal agencies pay close attention to the business benefits of zero trust. “Don’t ignore that,” he said. “Parties will give more effort to zero trust and modernization,” when there is a clear business case for pursuing it. This application of cyber security also is crucial to a workforce that is logging in not only around the country, but across the globe, especially in the time of COVID, McCoy stressed.

At the Education Department, Hernandez is confident that appropriately applied, zero trust architecture can offer federal agencies enhanced security compliance, productivity, efficiency and agility. “Especially in this time of COVID, when folks are relying on the federal government to deliver services, oftentimes we don’t have the luxury of time to go and engineer some massive infrastructure projects around defense-in depth security and layering,” he clarified. “We need to build it out right the first time, and what is great is there are a lot of very creative folks in this space [of zero trust].”

Already, he is seeing some federal workers, National Institute of Standards and Technology (NIST) employees, certain vendors and others creating zero trust applications quickly that are able to support a speedier delivery of services. The key, however, is the verified identification piece. “If we can’t get identity around a transaction or a behavior, pretty much all of our follow-on actions are speculative and even in some cases, wasteful,” Hernandez emphasized. “The logical conclusion that we have come to is that zero trust architecture is how we are going to move forward.”

Virtru’s Stuntz sees zero trust as basically an enhanced access management tool, a cousin of identity credential access management (ICAM). “And it is about time,” Stuntz said. “This zero trust identity-driven security, it is a necessary move. It is better late than never. At Virtru, our applications tie encryption to identity attributes, and for us, as a data-focused entity, identity is critical.”

Stuntz, who worked for the Office of Management and Budget (OMB) and was a researcher at NIST, is pleased to see the federal government releasing more policies and guidance for employing zero trust architecture, including the OMB memo from last year, NIST's final zero-trust guidance just released last month, the Cybersecurity and Infrastructure Security Agency’s guidance on trusted Internet connections, and even the Federal Data Strategy, which is talking about data protection. “This confluence of policy guidance is what will then inspire [folks] on the architecture side,” he said.

Hernandez added that working groups with officials from across the government and industry are succeeding in furthering the adoption of zero trust and increasing education. “We have tremendous engagement with our industry partners in our working groups,” he said. “We are seeing great inertia there and great consensus as to what is zero trust and ICAM, and what that looks like.” He advised agencies to harness the published strategies and road maps that Stuntz mentioned, as well as to “look inside as many agencies are further ahead than they realize.”

The Department of Defense is embracing zero trust architecture through efforts of the Defense Information Systems Agency and the Air Force, among other programs.

In serving DOD customers at Virtru, Stuntz is seeing the application of zero trust in mission partner environments and collaboration efforts across coalitions. “When you are talking about, ‘I want to be able to share mission-sensitive data,’ and then ‘I want to make sure that I know where that data is going and who has access to it,’ [zero trust is about] shrinking that perimeter to a data set or a data type. I even saw one [request] recently where they said, ‘How can you enable zero trust in space?’ applying zero trust for satellites.”

Zscaler’s Kovac also is seeing a lot of Defense Department projects use zero trust security to place data in specific stores that can be made available through an application layer and shared via a safe enclave, only to people who have been granted access through identity access management. “Zero trust gives us the ability to land in theater and be able to use zero trust technology and make our applications disappear, they don’t even know that we are there, ….but at the same time allows us to share information,” Kovac stated. “It is the ability to share data.”

And those efforts are at a fraction of the cost needed for establishing giant Internet Protocol (IP) networks, he said.

“At the end of the day, [zero] trust starts with identity. If I know who my user is, and I can verify their identity, I can begin to build an architecture around zero trust,” Kovac noted. “The first thing is ‘Who are you?’ and ‘How do I know you are who you say you are?’”

Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA