Making sense of government zero-trust guidance

Zero trust is more than a philosophy; it’s an outcomes-based approach to coordinating both existing and new security capabilities, a Google Cloud executive told government leaders at CyberScoop’s Zero Trust Summit on April 6. He urged leaders to look beyond the individual components that go into zero trust and look at how these security components are integrated, with a focus on measuring effectiveness rather than just compliance.

Dan Prieto — the head of cybersecurity strategy for public sector at Google Cloud and a former National Security Council official — discussed how Google’s own multi-year journey to zero trust provides valuable lessons for the cybersecurity challenges and opportunities that the government is facing now. Prieto offered three areas for senior-level executives to consider when implementing zero trust.

The first is to “think about business outcomes:  — is [zero trust] making [agencies] more nimble, more agile, more able to meet the mission need?”

“If you think about Google’s own journey to zero trust, [it was] a result of being the target of a nation-state attack in 2009/2010 — Operation Aurora. We had to methodically go through the steps that the government is going through now. It took two years to plan — resources, capacity, level of effort, what we should move first — and we continue to refine it … because again, it goes back to outcomes versus compliance.”

The second thing to understand was that zero-trust security is not only about technology. “If you implement technology properly, you will be changing business processes; you will be changing mindsets; you will be changing philosophy. It’s people, process, and technology,” he said.

Lastly, Prieto said that public sector leaders need to “pick a finite, discrete, [well-defined] test case” to learn what [agencies] do well, learn what they need to do better and to “develop muscle memory.” By starting with smaller, discrete areas to implement zero trust, it’s then easier to garner broader institutional support, build momentum, and progress to more complex or critical areas.

Prieto recalled lessons he learned as White House National Security Council director for cybersecurity policy during the Obama administration, urging the audience to eventually prioritize their zero-trust efforts on high-value data and high-value assets. He also noted that the zero-trust journey for each agency will be different. Every organization needs to start from where they are – what investments have they made, what tools do they have in place – and create a migration path to zero trust that acknowledges their own unique starting point.    

He acknowledged the challenges that CIOs and CISOs face, including the fact that large enterprises can have upwards of 100 cybersecurity tools implemented in their operations. “Cyber tools continue to accumulate. The reason you never get rid of any security tools is because you’re afraid things might break. But the reality is if you start putting the ingredients of security—strong identity for both devices and users; multifactor authentication; access controls based on a dynamic assessment of device, user and context; encryption— together properly [as part of your] zero trust [efforts], you should get to the place where you can confidently start creating efficiencies, both in the number of tools you implement, but also in terms of dollar efficiencies.  At the same time, implementing zero trust can help agencies dramatically transform the efficiency and productivity of their IT teams. “The average time it takes for an adversary to penetrate your networks and move laterally two years ago was four and a half hours; it dropped 70% in one year to one and a half hours.”

In that light, he suggested that “instead of cloud [efforts] being separate from zero trust [efforts], you can bring those two strategies together, because the cloud allows you to integrate [security] telemetry to make [data- and application access] decisions in a nimble, agile, and scalable way, [informed by] data in real time.”

Dan Prieto leads public sector cybersecurity strategy for Google Cloud. He previously served as director of cybersecurity policy for the National Security Council and as chief technology officer in the Department of Defense’s Office of the Chief Information Officer.

Watch the entire interview with Dan Prieto. And find out more about how Google Cloud is helping government agencies.

Listen to a recent episode of the Daily Scoop Podcast featuring Dan Prieto discussing the progress agencies have made implementing the zero-trust executive order and what are the next steps organizations can take to bolster their cybersecurity.

This article was produced by Scoop News Group and FedScoop and underwritten by Google Cloud.