The last five years has seen the cost of federal data storage shrink while the amount of information has had an order of magnitude change. When you combine all this with the remote access demanded by the COVID crisis, we have a perfect storm for changing the core approach to cybersecurity for federal information technology professionals.
Some will argue that this transition must be based on trust. Let us start with applying trust to humans who access large federal systems. From the perspective of Gerald Caron III, the biggest weakness in securing data is people.
Despite extensive training, users expose systems to threat actors. Additionally, today’s controls are so complex that users bypass them and circumvent policy. Managers must be able agile enough to adapt to these human threats, one way is to leverage vendors who can add to agility in protection.
When COVID hit, federal technology managers had to change their risk analysis in protecting data. During the interview, Gerald suggests that all data is not created equal. Varying risk levels can be deployed depending on the value of the dataset. One level may be username and password, the next level might someone with a Personal Identity Verification card. Gerald Caron III suggests you focus on what you are trying to protect and apply controls at the right levels.
Identity management can be difficult in a cloud world. Humans have life events, they get married and change names, this must be reflected in all aspects of any dataset connected to that person. Frequently, someone may leave the government and work for a contractor in the same office. Access permissions must be dynamically changed to reflect personal situations as well as the numerous devices owned by every person in the system.
One approach to managing this dynamic environment is to adapt software development practices where security is baked into the code. When this “DevSecOps” approach is combined with automation, then federal technology professionals can oversee this demanding situation.
Gerald Caron III ends the interview by showing people where to start. He thinks the most bang for the buck is a basic understanding of Zero Trust is a how to apply it to federal systems.