The ongoing shift to zero trust security frameworks is reshaping cybersecurity strategies across Federal agencies, but for Sandia National Laboratories – one of the 17 national labs overseen by the Department of Energy (DoE) – the adoption of continuous verification standards is as much about user experience as it is security.
Top officials from the Sandia – a Federal research facility focused on national security, nuclear weapons, and advanced technology – told attendees at the Zscaler Public Sector Summit today that cybersecurity efforts being undertaken by DoE place an emphasis on creating seamless and user-friendly security in addition to restricting access and locking down networks from attackers.
“We envision a world where when you authenticate – when you log in – it’s just what you need, just in time,” said Jason Crenshaw, director of information security at Sandia.
Crenshaw compared zero trust implementation for user experience to driving through a neighborhood, saying “as you drive down the street in your neighborhood, and you can see every house, you can see who’s home … You can see what lights are on when you put zero trust on … We only see two homes out of 200 – you’re only seeing what you’re allowed to have access to.”
Scott Stephens, chief solution architect in Sandia’s Office of the Chief Information Officer, noted that when looking at technical road maps or innovation pipelines, Sandia considers four major areas: user experience, service value, continuity, and security.
“User experience is always first,” said Stephens. “User experience is not just how it looks and how the users feel, but it’s around the marketing and the business analysis of what we’re trying to do … that user experience kind of sets the stage.”
“We try to look [at] those four pillars and ask ourselves questions like is it still better to stay on-prem, or is it better to move to the cloud? Is this something differentiating that we want to do ourselves or is there another OEM [original equipment manufacturer] that we could leverage to kind of get rid of that technical debt so we can focus more on the mission?” he continued.
Employing a user experience and four pillar-driven approach, Crenshaw said that Sandia’s zero trust implementation has resulted in a 90 percent reduction in firewall policies, shifting instead to user and behavior-based security.
Crenshaw explained that traditional firewalls are often overburdened with responsibilities, attempting to enforce policies for users, data, and applications. By rolling back the role of firewalls and integrating them into a broader zero trust framework, Sandia can more effectively manage access and ensure security across its networks.
“So really, to step back and scale that … to really being just part of the zero trust story and part of the overall equation on determining access, and then how healthy it is, whether that needs to take place – it’s pretty exciting,” Crenshaw said.
Pete Amirkhan, senior vice president of Public Sector at Zscaler, remarked during the conversation with Crenshaw that Sandia’s innovation in zero trust has also sparked greater innovation in the cybersecurity company’s services.
“I can tell you one thing that we at Zscaler certainly appreciate about our partnership with Sandia is how hard [it pushes] us to innovate faster,” said Amirkhan, adding, “it’s a great partnership.”
