The Department of Justice is focusing on zero trust and identity and access management pilots in fiscal 2020 as it adapts its security posture to the cloud and a remote workforce.
Procurements began last year, and the department now has eight to 10 pilots experimenting with different zero-trust architectures and vendors, Nickolous Ward, chief information security officer of DOJ, told FedScoop.
DOJ consolidated more than 100 data centers into 12 by pushing about 60 services — roughly 40 percent of what it delivers in total — to the cloud in the last five years, Ward said. On top of that, the department’s lawyers and agents are increasingly working remotely helping state and local law enforcement complete investigations.
As a result, DOJ’s attack surface has “expanded dramatically” at the same time much of its security perimeter has disappeared, Ward said during the Fortinet Security Transformation Summit produced by FedScoop.
The National Institute of Standards and Technology defines zero trust as the narrowing of cyberdefenses from wide network perimeters to micro-perimeters around individual or small groups of assets. No implicit trust is given to systems based on their location, and user and device authentication are required prior to establishing a connection.
Zero-trust security products will help DOJ more safely expose services in the cloud to the internet, but “none of them are bulletproof,” Ward said.
That’s where the identity and access management pilots come in to ensure the identity of every person connecting to every piece of data.
“That’s been a huge source of data breaches…we trust all these different vendors to store our data, and how do we know that they’re protecting it properly?” Ward asked.
Threat intelligence is a “mandatory” capability, and data must be shared between federal and commercial partners, he added.
Any contracts Ward puts out as CISO will require open application programming interfaces (APIs) and connections to the rest of DOJ’s security infrastructure, he said.
“If we can’t take an action within 15 minutes, a good nation-state actor is already hopping to other systems once they’ve made their initial compromise,” Ward said.
Quick threat response also requires speedy analysis of cyber data coming in. That process needs to be automated due to the “massive shortage” of cyber professionals, Ward said.
DOJ is also piloting robotic process automation and orchestration solutions for that reason.
“Automation will be something we’re looking at this year,” Ward told FedScoop. “We’re looking at things like deception technology and how it can really help us with lateral movement aspects [of breaches].”