Pentagon’s CISO warns that zero trust will ‘fail’ without automation
As the Department of Defense works to implement zero-trust cybersecurity measures over the next four years, automation tools that can assist in handling large volumes of data and an increasingly complex network must be incorporated to ensure its success, the Pentagon’s chief information security officer said Tuesday.
Speaking at the UiPath Together Public Sector summit, produced by FedScoop, DOD CISO Dave McKeown said that “there are lots of areas where automation can come into play — I think we’re going to fail if we don’t automate as we implement zero trust.”
Numerous government agencies are working to deploy zero-trust architectures, and the Pentagon has set itself a deadline of fully implementing the framework by 2027. Unlike traditional cybersecurity standards that grant users and data in a network implicit trust, a zero-trust framework requires all users and data to be continuously authenticated and authorized as they move throughout the network.
In its 2022 zero-trust strategy, the Pentagon outlined seven pillars to guide the department’s efforts — one of which is “automation and orchestration,” which calls on the Pentagon to automate manual security and other processes across the enterprise.
“We have to log everything that’s going on on the network, and that becomes very voluminous. We have to then go through those logs and look for anomalous behavior,” McKeown said. “These are things that we kind of do now. We don’t do them real well, but we need to scale that up and do that very, very well.”
McKeown noted that automation could play a crucial role in labeling large amounts of data coming in from the Pentagon’s systems, as well as data stored in its repositories.
Automated account provisioning is also being built into the identity, credential and access management (ICAM) solution being implemented across the department, he said.
“We have 10,000 information systems, at any time we may have had to have 10,000 different accounts created. We want to be able to go into a central place, create accounts, create accounts for any one of those systems, many of those systems and have it done in a reliable fashion where it isn’t the same and all of the lockdowns or permissions are correct,” McKeown said. “Automation can play a huge role there as we move forward with that automated account provisioning.”
Access control functions will also need to largely be automated in order to leverage large amounts of data points and make decisions on whether or not an account can access which sets of data, he said.
“We want to restrict access from places in the world which are dangerous. We want to grant access when all of your tickets are right,” McKeown said. “Your computer that has been scanned shows that it is secure and we’re going to allow you and you’re going to be able to see the data that you want to look at.”
McKeown also noted that automation-powered zero trust could prevent future insider leaks of classified documents — such as those allegedly distributed online by Air National Guardsman Jack Teixeira in April.
He said the Pentagon wants to get involved with automated user activity monitoring to look for anomalous behavior, flag it and even take direct actions to stop it before excessive damage is done.
“Anytime you see anomalous behavior, like after-hours activities, people going to areas of the internet, people going to areas of the network where they’re not supposed to be — you can totally automate the reporting of that and the response to that if you wanted to,” McKeown said.