Zero Trust Cyber Exchange: FDIC’s Stephen Haselhorst on building ZT from scratch | Federal News Network
2022-06-24 14:38 (EST) - Tom Temin
FDICS STEPHEN HASELHORST ON BUILDING ZT FROM SCRATCH
When we talk about zero trust, we actually talk about, instead of preventing compromise, we talk about assuming compromise. So how are you going to change your architecture to defend against potentially being compromised?
Stephen Haselhorst Zero Trust Program Manager, FDIC
Agencies working to establish zero trust architectures must approach zero trust as a definitive program, not as a tack-on to ongoing cybersecurity efforts. Thats a principal lesson Stephen Haselhorst said he learned in his 20 years working for the Defense Department.
Today, hes the zero trust program manager for the Federal Deposit Insurance Corporation, a job he began in April after serving as chief technology officer for the Air Combat Command.
The main thing is to make sure that youre fully organizing yourself around zero trust, that youre not operating as a pickup game, Haselhorst said at Federal News Networks Zero Trust Cyber Exchange . People should not be working on it part-time while also doing other things, he said.
Before you get into all the cool technology and the kind of stuff that everybody loves, you really have to focus on establishing your program, establishing your organization, Haselhorst added.
ESTABLISHING A FULL-BLOWN ZERO TRUST TEAM
A discrete zero trust program will be more effective in addressing the pillars of zero trust as defined by the Cybersecurity and Infrastructure Security Agency. At FDIC, the zero trust program lives in the chief information security officers organization, and Haselhorst reports to the CISO. But as its own line of business, Haselhorsts group has more ability to communicate and collaborate with groups across the agency that have a stake in zero trust, which is essentially everyone.
Outward communications are essential to the zero trust program, he said. Why? Because establishing a zero trust network architecture which, after all, is required for all federal agencies by the presidents executive order on improving cybersecurity will likely require new procedures and technology approaches by the existing cybersecurity operators.
Youve got to work with them to try to understand what the future holds, where were going, what were trying to do, he said. But what I find for the most part is, people are extremely excited about zero trust once they understand it, once they start capturing what they need to do.
Another value in the programmatic approach to zero trust, Haselhorst said, is how it ensures the effort will have a champion for the funding it needs, whether resources are being sought to hire subject matter experts or acquire technology tools.
PILLARS OF ZERO TRUST
Haselhorst pointed to the National Institute of Standards and Technologys Special Publication 800-207 as a foundational document for developing the pillars or tenets of zero trust.
Initially, agencies should focus on identity management, he advised.
You need to have a full understanding of all your users, whether theyre internal or external, in somewhat of a centralized repository, Haselhorst said.
Multifactor authentication (MFA) comes next. Most agencies are fairly well along in their use of MFA as the best-practice approach for doing away with passwords, Haselhorst said. MFA uses a unique identifier associated with each device as one factor and a biometric such as facial recognition as the other.
Government-issued devices give administrators the most control. But that doesnt rule out having to manage bring-your-own devices, Haselhorst said. To reduce risk, I can grant access from a BYOD device to a limited set of data or a limited set of resources, he said.
Still another important pillar in zero trust involves microsegmentation of networks.
Thats not talked about enough, Haselhorst said. Segmentation of your network is essential. Zero trust shifts from mode of compromise prevention to assumed compromise, he explained, adding that zero trust seeks to protect data ultimately. Microsegmentation helps isolate any presumed attacks so they dont spread throughout the enterprise environment.
VISIBILITY MATTERS IN ZERO TRUST
Zero trust also requires visibility of all of the network elements across the enterprise. Ensuring that is more easily said than accomplished, given the multiple networks and commercial cloud infrastructures that comprise the typical federal infrastructure today, Haselhorst said.
Security teams traditionally have focused on that perimeter on the enclave, he said. We kind of call it the choke point, or the bottleneck, and you can see everything coming in and out, and you can monitor it.
Now, activity is happening on premise, in the cloud, and in whatever home or coffee shop in which an employee happens to be working. The notion of a solid perimeter network has all but disappeared, Haselhorst said.
You need to rethink your visibility, so that you have the right visibility or the right data points and telemetry that youre getting from every one of those edge points, he said.
With the right telemetry, the cyber team can monitor data across an organization, he said. The data is what we all seek to protect. Thats the whole point of zero trust.
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange , go to the event page .
