Now that federal agencies have shifted to mass telework and sorted through many of the related hardware and software needs, they’re able to take a closer look all the pieces necessary to implement zero-trust security architecture, a cybersecurity expert says.
In particular, agencies have greatly embraced the use of different kinds of authenticators to help identify users and control their network access, said Bryan Rosensteel, Cybersecurity Architect at Duo Security, during an SNG Live virtual discussion panel hosted by Scoop News Group on Oct. 20. Federal IT leaders are seeing that for telework, old forms of proving identity don’t translate, and they’re looking for other solutions.
“That’s where we’ve seen zero trust really starting to take place,” he said.
The zero-trust model assumes that the network is penetrable, so it forces users to verify themselves for each set of data or applications they want to access once they’re on the network. Authenticators — such as physical security keys, apps that generate one-time codes or more dynamic technologies that can confirm a person’s identity — can play a key role.
Simply handing out new ways to authenticate a user isn’t an instant solution, though, Rosensteel said. Agencies should be carefully considering what they’re implementing and why.
“That’s something that I think took a lot of people by surprise: Hey, I’ve got a strong authenticator, but I don’t have strong authentication,” Rosensteel said. “And that’s forcing everyone to have that second look and analysis of the way that they’ve approached something as simple as just authenticating into an application.”
The conversation around authentication will only become more important as agencies implement higher standards for how they interact with contractors, such as the Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC). Companies that must meet higher-level security standards under CMMC will face decisions about how to allow employees to interact with DOD networks.
“There are very different cost models and very different types of implementations and technologies required to be able to say, ‘Hey, in line with this authentication, we’re going to be checking for geolocation, we’re going to be checking for the type of network that you’re coming from,’” Rosensteel said in a separate SNG Live virtual panel discussion. “Are you coming from a VPN? Are you coming from something internal to a specific set of IP addresses, in order to exercise and exert those controls?” The goal, he said, is to set the right amount of control based on those factors.
Overall, the increase in interest in authenticators will pay dividends as agencies continue to modernize, Rosensteel said.
“To the credit of the federal government, they saw it as the opportunity to expand and modernize correctly, and for the most part have done so with a zero-trust framework in mind,” Rosensteel said. “So it’s been an experiment — not one that any of us wanted to happen — but it’s been overall a really good accomplishment.”
This article was produced by CyberScoop and underwritten by Duo Security.