Federal CyberBytes Issue Brief #2: Chris Cleary/Will Ash.

Implementing Zero Trust in the Government

Sponsored by

In response to the pandemic, the military made a huge shift to teleworking for hundreds of thousands of military employees. A key part of that move was instituting Zero Trust, which is the topic of this week’s Billington Federal CyberBytes podcast. We discussed the Zero Trust model with Chris Cleary, CISO, United States Navy, and Will Ash, Senior Director, U.S. Public Sector Security, Cisco.

Chris told us that the pandemic, which required moving hundreds of thousands of military employees online, pushed up the Zero Trust timetable. 

“It really was a monumental effort,” Chris said, “moving the majority of their workforce to a telework environment. And as that telework environment really pertained to Zero Trust, we learned a lot of lessons. It actually really drove our zero trust strategy a lot faster than we even anticipated internal to the Navy. I really tip my hat to the guys over at Fleet Cyber and 10th fleet that had the lead for really designing the Zero Trust environment that we ultimately are beginning to adopt through a plan or that was directed through USCYBERCOM.”

Ironically, one of Chris’ takeaways from his experience with Zero Trust is the need to trust the process.

“My advice to people in industry – there’s going to be some uncomfortable days as you transition into these environments. But what we found is that with accepting that risk – with transitioning in environments, with allowing your workforce to learn how to use these tools – we’re really creating a more secure way of doing business and able to provide a secure work environment to our people teleworking. So I just say, trust the process.”

Chris believes that the process is working so well that it’s likely to continue post-pandemic.

“Some of this is going to endure. We will continue to have people teleworking; probably will be encouraging it at a higher level, for lots of reasons. But it’s all predicated on the fact that we accepted risk and we ultimately could transition to an environment that was secure to enable work and collaboration and the sharing of documents and emails and phone calls, teleconferencing. And all that has been successful.”

When we spoke to Will Ash, we asked why Zero Trust is so important to the military:

“Over time there is a massive shift in the IT landscape,” Will explained, “because users/devices in the cloud itself are moving outside of the traditional network as we know it. And with that, there are different types of users using different types of devices, many times their own. And application servers, containers, different workloads are also communicating with themselves. And on top of all that we have IoT devices that are providing another entry point of access to the network. There are different points of access, there’s a larger attack surface, and there’s increasingly more gaps in visibility to all the different points in network. So that’s really why Zero Trust is critically important in our new environment.”

The government’s challenge, Will says, is to determine whether connections are trustworthy.

“Are the users really who we think they are? Are the devices they’re using healthy? Do they have good cyber hygiene? To the visibility point, what’s connected across the entire network? What kinds of devices? Should they be talking to each other? What kind of data is in the cloud apps? Or the cloud infrastructure itself? Is this data critical? What level of criticality or sensitivity is it? And who and what accesses it?”

Asking those questions is what Zero Trust is all about. We thank Chris and Will for answering ours.

We would like to thank Cisco for sponsoring this episode.