Zero trust begins with smarter password protection
Cybersecurity — and zero-trust security in particular — depends increasingly on establishing granular control over who is on the network, their roles and their privileges. For government agencies, that also means deploying more modern and effective ways to protect users from having their passwords and credentials compromised.
In a new, 12-part video interview series from FedScoop, federal CIOs and CISOs discuss strategies for reducing password-related data breaches and cyberthreats. The series, Zero trust begins with smarter password protection, was underwritten by Keeper Security and filmed between October 2021 and March 2022, and touches on several security issues, including:
How the White House cybersecurity executive order reshaped IT strategies
Several leaders interviewed highlighted how the executive order accelerated their cybersecurity timeline and reinforced existing efforts.
Don Watson, CISO for the U.S. Patent & Trademark Office, says the agency was already implementing zero-trust architecture, cloud security and supply chain risk management —and improving investigative and remediation activities. He stresses that cybersecurity was a top priority before the EO was published, and the agency’s focus was on “efforts to stabilize and secure our legacy products while delivering modernized secure products.”
U.S. Department of Commerce CIO Andre Mendes echoes similar efforts and says the EO gave “additional impetus to pursue zero-trust solutions that were already deployed at some bureaus and that were in consideration at others.”
A key takeaway from leaders was that security strategies need to lay the foundation of cybersecurity with zero trust while adopting policies that will secure technology and shape the behaviors of both IT and non-IT users.
Remote work and identity and multifactor authentication
Although telework policies and the IT systems to support them have been in place for many federal agencies, the pandemic forced nearly all employees to work remotely. That pushed agencies to rethink the future of work and how they could better secure remote networks.
The Cybersecurity and Infrastructure Security Agency realized it would eventually need to adopt a hybrid work model across many locations, says CIO Robert Costello. “CISA is taking a different approach to ensure they’re constantly identifying who’s accessing systems and data, and also tightly integrating identity management and credentialing systems as we roll out some of our new expanded offerings here for our user base,” he says.
Mittal Desai, CIO for the Federal Energy Regulatory Commission, explains that remote work made the agency reevaluate its security governance processes. It also explored more effective ways to use multi-factor authentication and monitor the access privileges of users on its networks.
Leaders agree that integrating identity and multi-factor authentication solutions was a cybersecurity best practice to reduce vulnerabilities.
Moving toward human-centric cybersecurity
Ensuring that security is easy to adopt and user-friendly can help agencies equip employees to deal with the growing threat of phishing attacks.
Robert Roser, Idaho National Laboratory CISO, says that while zero trust and the use of multi-factor authentication are critical to improving security, his organization is also tackling the culture around security with its employees. As part of the Energy Department, the lab regularly organizes spoof phishing campaigns and takes steps to think outside the traditional password approach.
“Cybersecurity is built around people consistently doing the right things. We spend a lot of our time educating and training our workforce to make good decisions concerning security,” says Consumer Financial Protection Bureau CIO Chris Chilbert. He highlights how the agency provides annual awareness training and conducts targeted training based on the employee’s role.
The future of passwords
In the end, organizations need to adopt a more modern approach to authenticating users, using a combination of unique passwords and multi-factor authentication, so that agencies can create greater efficiency, streamline access and carry out missions more effectively, says Darren Guccione, CEO of Keeper Security.
“Today, [organizations] are authenticating [users on up to] 150 applications on average; each one of those applications requires unique strong credentials,” he explains. “The only way to do that effectively is through an enterprise password-management solution. There is no other way to do this effectively because you’re talking about a parameter for an attack that is exponentially larger than it was two years ago.”
Other participants in the video series include:
- George Duchak, CIO, Defense Logistics Agency
- Jonathan Feibus, CISO, and Deputy Director, U.S. Nuclear Regulatory Commission
- Melinda Rogers, CIO, Department of Justice
- Rob Hankinson, Acting Director of Office Information Technology Infrastructure, U.S. Department of State
- Tristan Yancey, VP of Public Sector, Keeper Security
This video series was produced by Scoop News Group for FedScoop and sponsored by Keeper Security.