Gerald Caron wears multiple hats – he is the Chief Information Officer & Assistant Inspector General for Information Technology U.S. Department of Health and Human Services, Office of the Inspector General, while also chairing multiple working groups concurrently. OpenGov had the pleasure of speaking with him on the advantages of Zero Trust Architecture, considerations and strategies when integrating Zero Trust Architecture in organisations.
A ‘watchdog’ is how Gerald described his role, which entails supporting the agency’s mission while ensuring that the parent agency is protected against fraud, waste and abuse. Part of his role includes making sure that the programmes are functioning the way they are supposed to.
With 1900 users in the agency, Gerald oversees the biggest force in the federal government doing general IT support infrastructure, applications and modernisation. Many of his clients do a lot of the data analytics and reporting, some of which goes to the federal government and the US public.
Gerald’s function allows him to access a “cross-pollination of data” and take a closer look at human behaviour. With copious experience working with data and information of people from different sources and agencies, Opengov Asia is keen to know what are the learnings looking at such a diverse group of people who are trying to achieve different outcomes using different technology. And with so much data and information at stake, Gerald’s reflections on Zero Trust Architecture and advice for others who are also attempting to implement changes is vital.
Understanding the use case for Zero Trust
Drawing from his 20 years of experience at the Department of State, supporting 109,000 users doing enterprise, one insight Gerald has gained is that “users are a weak point for any organisation”. When thinking about malicious activities, it is the insiders who create the biggest impact, he claims, citing Robert Handson and Edward Snowden. However, the intent of the insider may not always be malicious. In some instances, people are merely trying to complete their tasks. When they encounter restrictive security, their solution is to find all other ways to get the job done.
Although the users might not be mala fide, someone who does not have good intentions could exploit the processes that insiders undertook to complete their task. It is in light of such loopholes that Gerald believes in the importance of Zero Trust Architecture.
The key principle of Zero Trust is to ensure that people are who they claim to be in the digital space so that they can get the data that they need. It is a cybersecurity paradigm that moves defences from static, network-based perimeters to focus on users and resources. Zero Trust is indiscriminate in that it does not care if someone is an insider or an outsider. “I am going to check you at the door and I am going to keep checking you constantly while you’re inside my door,” Gerald explains.
Zero Trust is a necessity because it is simply insufficient to rely on people to flag issues. For Gerald, it is not possible to track data in real-time, understand where it is flowing all, determine who it is going to, or who is active. Automation is required because of heavy data traffic and the rate at which data is created. Machine learning and AI can help to identify what normal looks like, such that when the abnormal happens, the process of rectifying an issue is streamlined.
Historically, when an anomaly occurs, the cyber security team alerts someone to look into the oddity and deploys an analyst to look into it. It is then followed by a lot of lateral movement and persistence until the cause of the issue is figured out. That process is no longer sustainable or effective given the amount of data that is created every day. In that regard, automation is the key.
Work culture and risk tolerance in a changing world
In the US, there is the NIST SP 800-207 publication, which is Zero Trust Architecture listed by the National Institute of Standards and Technology. It is available to the public and explains Zero Trust. The policy engine directs the course of action in any given situation based on a set of principles. Coming up with the methodology that informs the policy engine is where organisations need to find alignment, Gerald opines.
Gerald believes that the difficulty of building architecture and coordinating integration effort is not as much about the technology as it is about understanding “people, processes, aspects of governance and risk tolerance”.
Before COVID-19, many of the practices that are now normal would have been unthinkable – mobile administration, working from home and accessing government information on personal devices. The pandemic engendered a reassessment of people’s new risk tolerances when people discovered safe and secure ways to allow people to work from home. It has proven is that the risk that people thought existed was not as extensive as they imagined. With the paradigm shift and the new measures, employees can keep organisational missions going.
Without a doubt, moving data to the cloud poses a different risk – it increases the attack surface. With people working remotely and accessing the cloud, the traditional perimeter of defence is gone. The key focus is to move the protection closer to the data now that organisations no longer have this big outer shell.
There are multiple levels of consideration when it comes to cybersecurity in the current landscape. While many people might think of devices as the fundamental facilitator of data access, Gerald first considers protection around applications before devices. The next level of consideration is the network, followed by the user.
Every level possesses different risks within them, Gerald asserts. Bring Your Own Device (BYOD) has a different level of risk than a fully managed laptop; a cleared government employee has a different level of risk than a public user. For Gerald, all the factors add to an overall risk level – a dynamic risk score that changes along with the circumstances. For example, the risk factor can change the moment the same user accesses data through the cloud, tipping the conditional access policy.
The playbook for navigating organisational shifts
Bringing change in the architecture such as Zero Trust would invite resistance. For a user who needs to transition to Zero Trust, it might feel like an introduction of cumbersome barriers daily that the user has to learn and overcome. “Is there a way to mitigate against this resistance and frustration?” OpenGov Asia asks.
The way to manage “the politics” of change, according to Gerald, is to refer to a playbook. One must have a strategy and a plan. When introducing Zero Trust, one needs to consider the different roles within the ecosystem. Using the analogy of a soccer game, Gerald explains the various organisational functions:
- Players in the field: People who do the work and implementation
- Coaching staff: Project managers and programme managers
- Trainers: People who ensure that those in the field have the tools that they need to function
- The Executive Suite: The CEO, CIO, and the people who hold resources and direct priorities for the organisation
- The fans who cheer the team: The end-user population.
The analogy of soccer is apt because it humanises the process and experience of getting people on board. “Everybody is important – you can’t do one without the other” because responsibility exists at every level.
In the grand scheme of change, educating the end-user is critical. “The fans would need to understand why the team is making moves on the field, the rationale for the strategies undertaken,” Gerald believes. When the fans understand the principles, it translates into revenue in the private sector.
The end-user population need to understand why they are part of the team and journey. The implementers must also place the end-user at the centre and lubricate the process: to understand what end users like, what works and what does not. People working on bringing changes in the infrastructure have to understand how different personas like to work – how people like to work with the data they’re accessing and where people locate data.
The key to change is to ensure that it is not restrictive or prescriptive. Users must bring their use cases and the IT department must work at where users are at. Gerald shares a past example where US embassies all over the world were backhauling onto on-premises locations or data centres to access the internet. Now there are edge computing capabilities and services that can allow users to be directed to where they want to be. This solution achieves telemetry in management and policy management from a security perspective but achieves performance advantage by sending users directly to the internet.
Convincing end-users of the advantages of the architecture is key. One such benefit is going passwordless. In the process of bringing more applications and introducing Zero Trust Architecture, going password-less makes it easier for the actual end-user. BYOD is another advantage for end-users.
Instead of having what Gerald calls, network ‘anchors’ to offices and space, Zero Trust helps with mobile teams since the defence perimeter is around the data and not locations or networks. It frees people up from the need to be in a particular building or be protected from within walls.
Working with partners and conducting “inventory checks”
Gerald emphasises the need to work with vendors and collaborators. “We need to partner with them to be successful. They have the solutions,” he says. Yet knowing how to collaborate with vendors and coordinating the effort takes work.
First of all, it is important to get everyone in the organisation on the same page when defining Zero Trust and coming up with a standard criterion that the vendors can work with. Outlines and criteria also help to focus discussions on the organisation’s unique use cases. Otherwise, organisations will be clueless when interacting with vendors and reviewing solutions. For Gerald, it is important to conduct a self-inventory so that organisations can control the conversation when talking to vendors.
Organisations need to get clarity on their real risk tolerance. To do so, they need awareness of where their data sits, how data is classified, where data is going and the policies that need to change. Governance also needs to be put in place to structure the sharing of data and the bringing of a new system into this network. The process involves managing people, processes, procedures, understanding the organisation’s methodology.
Apart from that, it is also important to understand where people’s thresholds lie. While it is easy to be distracted by technology, the hard work is in the people, process, procedures, risk methodology, risk tolerance and politics. In some sense, nailing down the technology is sometimes easier than the non-technical aspect of the work.
When it comes to implementing changes, Gerald cautions against ticking boxes and being compliant. Organisations need to look deep into their processes to truly understand where the gaps and loopholes are. It might be easy to get carried away with everything that is bolted on, creating a false illusion that the data is well protected when the foundations are extremely weak.
“Nobody wants to go to the basement. Everybody likes going to top floors.” This creates many problems in the process. However, that is where people need to take a long, hard look.
Ultimately, Gerald asserts that introducing Zero Trust architecture is one that functions in hybrid mode. Most organisations do not have the luxury of creating an entirely new “greenfield.” More often than not, organisations will have to build infrastructures on top of what they already have. It is in that context that organisations need to not only get themselves up to speed with technology – doing inventory checks and understanding the organisation’s maturity – but also understand people, processes, methodology and risk appetites. After all, it is people who will be wielding technology.
