How the Federal CISO Views Zero Trust

How the Federal CISO Views Zero Trust

Amid a swarm of industry offerings that employ the cybersecurity buzzword, Federal Chief Information Security Officer Chris DeRusha described the essential components of what he considers zero trust. 


“I really believe it's rooted in three core principles: verifying every user, validating every device, and then within that, limiting access intelligently,” he said. “This is obviously a shift away from the prior trust model that assumed if a user is behind a firewall, then you know they can be trusted. Obviously, this isn't bearing out anymore.” 


DeRusha headlined the Billington Cybersecurity Defense Summit Thursday where current and former federal officials stressed that the term “zero trust” refers to a plan of action or policy, not something any one product can claim they provide and advocated smart budgeting.


“Zero trust is not a technology. It's not something you buy. It's a strategy,” said former federal CISO Gregory Touhill. “We've got too many folks that you know, in industry, that are trying to peddle themselves as zero trust vendors selling the same stuff that wasn't good enough the first time.”


The definitive government document on the zero-trust concept is the National Institute of Standards and Technology’s Special Publication 800-207, a final version of which was published last year after multiple rounds of public comment. Speaking at the conference, NIST’s zero-trust lead Alper Kerman said it was the result of consultation with members of the industry who first came up with the term and other early adopters.


“Government's been working towards this framework of zero trust for a while,” DeRusha said. “In earnest, in the past few years, agencies are building out really strong foundations around identity and credential access management. We' ..

Support the originator by clicking the read the rest link below.