While the zero trust security model has been widely recognized as an effective approach to preventing and mitigating data breaches, an official with the Cybersecurity and Infrastructure Security Agency (CISA) said this week there are several misconceptions Federal agencies have which make them skeptical about adopting the framework.
John Simms, a senior technical advisor for the Office of the Chief Technology Officer at CISA, explained that one major misconception many have about the zero trust model is the notion that an agency cannot trust its users or workforce.
“This is a marketing problem we seem to continue to have. Zero trust gives your users ad employees the impression that they’re not trusted, but in fact, zero trust supports secure information sharing,” Simms said during a virtual event on March 28 hosted by GovExec. “Just because there’s no assumed or implied trust doesn’t mean there’s no trust. Instead, there’s explicitly justified and appropriately granted trust.”
Simms also explained that people are creatures of habit, and they can be resistant to change. When a team has been doing something the same way for a long time, it can be difficult to convince them of the necessity of doing it differently.
“Moving to zero trust involves implementing tools that support just-in-time privilege elevation and time-bound access. But it also involves large-scale cultural change that starts at the top. The zero trust mindset needs to be company-wide. Adoption should involve everyone, not just the security team,” Simms said.
Cultivating a zero trust framework also requires buy-in from executive leadership all the way down to identity and security practitioners. Previously, Simms added, security for an agency was handled by a single team, but he said that approach no longer works.
Simms explained that another misconception is that zero trust is a product that can be easily implemented. However, “agencies need to remember that zero trust is not a product that you can buy, it is a philosophy for approaching cyber principles,” Simms said.
“It is also necessary that cyber hygiene and practices are baked into every aspect of an agency’s business processes. When an open conversation is had in an agency, bad cyber habits can be detected and resolved,” Simms said.