Governments are increasingly looking to adopt zero-trust security models in which they treat every device connecting to their network as a potential vulnerability and continually verify them. This not a new concept, but one that has recently become more feasible and pressing, said Paul Calatayud, cybersecurity firm Palo Alto Networks’ chief security officer for the Americas, during the event.
The push toward zero trust is spurred in part by technologies that make implementation easier and publicity that has drawn more attention to the concept, such as through President Biden’s promotion of zero trust in his recent executive order, Calatayud said. Governments’ needs to safeguard personnel who are connecting via home networks has added further urgency.
Sixty-four percent of state agencies surveyed in the Center for State and Local Government Excellence (SLGE)’s State and Local Government Workforce 2021 report said that they offer hybrid or fully remote positions, with some organizations expecting to continue to provide such options well after the pandemic ends — making this a key issue.
Many government agencies that switched to distributed environments during the pandemic were at first focused on simply maintaining operations and so fell back on more traditional security models, explained John Israel, deputy CISO of Minnesota IT Services (MNIT). This saw the organizations rely on “trust-but-verify” approaches in which employees got full network access once they’d connected via virtual private networks (VPNs).
Now that agencies are past those early days of scrambling, however, it is time to look to zero trust to better safeguard systems, Israel said.
“The zero-trust journey is where we want to get everybody to,” Israel said. “With the shifts of the pandemic, there’s still heavy reliance from a lot of government organizations on VPN and the trust-but-verify model.”
BEHAVIORAL ANALYSIS
Taking a zero-trust approach and reliably verifying remote employees will require using several strategies for ascertaining that users are who they claim to be, Calatayud said. Authenticating personnel based on their login credentials only goes so far, because criminals can steal this information. That puts renewed attention on efforts to confirm whether devices’ behavioral patterns match those of trusted users.
Assessing user activity for indicators of trustworthiness as well as for red flags requires collecting and evaluating massive amounts of data, however, it is something that Calatayud said may only be feasible for agencies using automation tools like machine learning.
User behavior data must be safeguarded from breaches and holding onto it may not be worth the risks of compromise unless agencies are also able to analyze the data to extract meaningful cybersecurity insights, he said.
“Some customers and CISOs I talk to start to question whether or not they even want to go down an analytics strategy, because if it’s not done right, it just becomes more information that could be used against them in a liability situation,” he said.
Even ramped-up staffing levels will at some point fall short of being able to power through all the data this kind of analysis entails, Calatayud said.
“You can’t add enough people to the data set,” he said.
Not that boosting employee counts is necessarily easy to do: Israel acknowledged that governments face persistent troubles competing with the private sector’s ability to woo away talent with richer offers.
RECRUITING
Israel said that desire to make an impact often draws people to join the public sector, but noted that hiring shortages remain and there still are some small localities that lack not only cybersecurity staff but any IT personnel at all.
MNIT has sought to better support these smaller players through efforts to share intelligence, resources and some technology with counties, and MNIT’s partnerships with private organizations and agencies at various levels of government have helped bolster defenses overall over the past several years, he said.
Still, agencies continue to look to amplify their cybersecurity power, and Calatayud said automations can help organizations get the most mileage out of their staff as well as expand their recruitment pools.
Security operation centers (SOCs) that manage to automate certain processes can then be less dependent on recruiting individuals with traditional cybersecurity backgrounds and instead expand their reach to other prospective hires who can work effectively with the AI supports, he said.
“If I can bring in AI automation and reduce the amount of human intervention and interpretation, it means I can probably change the job classification just enough that we can bring in people from outside the cybersecurity industry,” Calatayud said.
Machine learning and AI-powered automations have also enabled Palo Alto Networks to automate the work of tier 1 SOC analysis, and instead recruit analysts for more complicated responsibilities — something Calatayud said makes the job more interesting and improves retention.
*The Minnesota Virtual Digital Government Summit was hosted by Government Technology.