Where are all your assets on your network? That is the first question agency chief information security officers may want to ask on their journey toward a zero trust architecture.
Shane Barney, the chief information security officer at the U.S. Citizenship and Immigration Services in the Homeland Security Department, said the answer to this seemingly simple, but complex question is so important to truly move toward a zero trust architecture.
“Devices are a key piece…
Where are all your assets on your network? That is the first question agency chief information security officers may want to ask on their journey toward a zero trust architecture.
Shane Barney, the chief information security officer at the U.S. Citizenship and Immigration Services in the Homeland Security Department, said the answer to this seemingly simple, but complex question is so important to truly move toward a zero trust architecture.
“Devices are a key piece of like any zero trust strategy and it really goes back to your this concept of an attack surface, which is your continuous discovery, inventory, classification, prioritization and security monitoring of all of your digital assets, as well as your hardware. From my perspective, having a 100% understanding of your devices on your network is critical for day one. You don’t do zero trust without it,” Barney said on Ask the CIO. “If you only have 50% of your known assets that you have control over, don’t even bother doing zero trust because you really got to fix that problem.”
Barney readily admits that knowing and managing an agency’s end points isn’t an easy task. He said USCIS has 160,000 to 170,000 end points and they are constantly changing because so much of their infrastructure, applications and workloads are in the cloud already.
“We have cloud assets that will generate 1,000 new endpoints every hour, and then shut them all down just as quickly. So staying on top of that is where automation becomes critical,” he said. “Automation is going to do a couple of things for you one. It’s going to verify and ensure that the things that are coming onto your network are yours and are verified. This is going to be done through your certificate automation and making sure you’ve got tokens issued on all the proper devices. It’s that first level authentication for you. There’s a behavioral component to this as well. There’s not enough humans on the planet to monitor this kind of stuff. You’re talking about terabytes upon terabytes of data being generated every day, just to monitor this. So your automation kicks in and starts asking these questions for you.”
Barney said the technology tools can highlight “bumps” on the curve that no human could see through all this data.
Micro segmentation as a future state
Barney said the move to automation to take control of your end points happens on an iterative, but constant basis as more applications move to the cloud. He said the entire effort takes a considerable amount of close coordination with development and engineering teams.
“It is a mind boggling problem to solve. And I say 100%, honestly, you’re iterating toward 100%. I’m not sure anyone ever truly achieved 100%. What you’re really striving to do is 100% of accountability to the extent that’s possible,” he said. “Now, I will say that hardened assets, things like laptops, hard servers, those are a little easier to do. They don’t tend to come and go as easy or as frequently and you can maintain a good solid inventory of those. You’ll often have stuff deployed to them and you’ll have your endpoint detection capabilities built in so that’s a little…