DHS migrating to ‘cloud-first’ identities en route to zero trust

Managing identities in the cloud will make it easier to enforce network access, says the department's CISO.
(U.S. Customs and Border Protection / Flickr)

Migrating from legacy identity solutions to “cloud-first” identities is the next step in the Department of Homeland Security’s implementation of zero-trust security, according to the CISO of one of its component agencies.

Zero-trust security requires a network’s users to provide credentials before granting them access, after which they’re typically subject to continuous validation. That remains a challenge for DHS‘s external partners, Alma Cole, CISO of Customs and Border Protection, said during an ATARC event Tuesday.

Migrating identities to the cloud will make it easier and more secure to link them with those at other agencies or companies DHS contracts with, as well as add device identities.

“We’ve all had to deal with usernames and passwords and things for all these disconnected services at agencies,” Cole said. “So having that cloud-based identity that can actually federate with other entities in a really seamless way is key.”


Once that’s out of the way, DHS can begin using policy enforcement mechanisms to control what those identities have access to on the network.

DHS will use a network access control plane and comply-to-connect (C2C) framework — as well as a software-defined network (SDN) that verifies the posture of devices, user and user authorizations and entitlements — when granting on-premise users access to portions of the network.

As for external users like remote workers, DHS plans to replace its virtual private network with secure access service edge (SASE) cloud services.

“That is probably the first real, meaningful way to start implementing some hard, zero-trust access control policies and really lock down your agency,” Cole said.

By connecting offsite users to the network via a cloud-based tunnel, DHS need only expose the applications they’re authorized to use instead of the entire network, he added.


That’s especially useful if an advanced persistent threat (APT) nation state or state-sponsored group attempts to access the network because hacking one host, desktop or laptop will no longer allow them to see everything in the environment, Cole said.

DHS’s CISO would like to see more zero-trust guidance at the federal level.

While the NSA released a basic roadmap about a month ago, agencies haven’t even begun to scratch the surface of the data provided by programs like the Continuous Diagnostics and Mitigation program, Cole said.

That will require greater zero trust maturity, which comes with implementing more security capabilities and ultimately artificial intelligence.

“It’s so all-encompassing,” Cole said. “And it’s so overwhelming.”

Latest Podcasts