Agencies eager to build zero-trust security architectures that support increased telework are finding microsegmentation isn’t a quick fix.
Coronavirus-related telework has seen agencies more quickly adopting use cases under the Trusted Internet Connections 3.0 — updated guidance for securing networks that adjusts to advancements in cybersecurity since TIC 2.0 came out in 2007.
TIC 3.0 encourages segmenting networks into “trust zones,” elastic groups of assets with similar protection requirements, but that’s only part of zero trust, said Sean Connelly, TIC program manager at the Cybersecurity and Infrastructure Security Agency.
“We are starting to talk to a number of agencies to look at microsegmentation architectures. It’s one step toward that modernization of their environment,” Connelly said Wednesday during IBM‘s Think Gov digital event, produced by FedScoop. “We look at it as a way for them to secure their traffic across the enterprise, as opposed to focusing on the traditional network perimeter.”
But one unnamed federal research agency recently sought microsegmentation as the foundation for its zero-trust architecture, when it wouldn’t solve the problem at hand, said Aarti Borkar, vice president of IBM Security. The agency regularly collaborates with international groups that need access to systems containing research data — access that would be jeopardized.
“Everybody’s looking for the easy button for zero trust,” Borkar said. “And vendors help cause that confusion because we’re looking at it from one vantage point, one piece.”
Most agencies should prepare for zero trust to coexist with their traditional network security strategies for some time because they’re still dealing with on-premise data centers, hybrid networks or multi-cloud networks, Connelly said.
Microsegmentation is compatible with zero trust, but agencies need a detailed inventory of their assets, users and, in particular, business processes to truly understand their workflows well enough to build out security policies.
“Right now zero trust is not a complete architecture, where a lot of agencies are in a position to adopt zero trust across the entire enterprise,” Connelly said.
As the pandemic rages on in the U.S., agencies have adopted entirely new information technology platforms on outside networks to enable mobile and bring-your-own-device work.
The TIC program is distilling lessons learned from such rollouts into a zero-trust use case that will provide agencies with security patterns and capabilities to consider, Connelly said.
“So it’s going to take a while I think before you start to see a majority of agencies support zero trust,” Connelly said. “But I think a lot of those technologies are there.”