CISA Q&A: The Road to Continuous Monitoring and Zero Trust Access Control
Authored by George V. Hulme
Two of the most important trends in cybersecurity today are continuous security monitoring and the implementation of zero trust access controls. In the federal government, continuous monitoring and remediation fall under the purview of the Continuous Diagnostics and Mitigation program, known widely as CDM. CDM kicked off in earnest in 2014 and maybe one of the most ambitious cybersecurity efforts ever.
Led by the Cybersecurity and Infrastructure Security Agency (CISA), CDM aims to strengthen federal government networks and endpoints through continuous monitoring for technology vulnerabilities and risks and prioritize managing those risks based on their potential impact. The program kicked off in 2014 and today consists of cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture.
While a big focus of CDM is on dynamically searching for threats and vulnerabilities within agency networks, the focus of zero trust access is to ensure all entities requesting access to systems are actually who or what they purport to be and that they have the permission for the level of access they seek. That means nothing on the network is “trusted” until their identity is established. Today, zero trust access control is a significant focus within both the government and private sector. According to the research firm MarketsandMarkets, the worldwide zero trust security market will reach nearly $52 billion by 2026, up from roughly $20 billion last year.
Ross Foard, IT Specialist at CISA, knows the challenges associated with CDM and the importance of zero trust and identity and access management firsthand. CISA leads the national effort to protect and enhance the resilience of the nation’s physical and cyberinfrastructure. Before his current role at CISA, which he has held for five years, Foard worked as a director at Oracle as an identity, credential, as well as an access management consultant on Department of Defense and civilian projects. He also previously worked at the Department of Homeland Security for nearly three years.
In this interview, we talk with Foard about his longtime career in security and the current trends he sees surrounding CDM and zero trust access control.
Thank you for taking the time with us today, Ross. Could you tell us how you got started in information security?
Information security is an outgrowth of other things that I was doing early in my career. My first career was actually as a submariner in the US Navy, and all of those systems were analog systems on a submarine with some minor exceptions.
When I left the Navy, I went to work for a large manufacturing company. In the manufacturing world, the operational technology and the information technology systems were very closely aligned, so information security is part of operational security. We worked on everyday systems, from mainframes that delivered the process and management for operations to the process controllers that make the processes work.
As the nineties unfolded, I went back to school and earned a computer engineering and electrical engineering degree; thanks to the company that sent me and allowed me to do that while I worked there. By the end of the nineties, small-scale information technology systems, primarily based on Windows and Linux systems, were central in delivering these services and they were increasingly becoming web-based systems.
So I moved from operational technology and IT to IT and web technology. That was really when we started to think about network security, such as firewalls and intrusion detection systems, and identity and access management. I got involved in information security by thinking about how exposure to the internet changed security.
That was a fascinating time in information security. Every organization was connecting to the Web, and few knew how to secure themselves. What was it like being a security practitioner at the time?
I’ll talk about the part of the industry that I targeted myself to work in and the part I am most known as an expert, and that’s identity and access management. I left the operational technology company to join a large telecommunications company in the late nineties. There I was tasked with putting an extensive knowledge base on the Web because we wanted to provide access to share the knowledge we had within our engineering team.
The question became: who should get access to that information? How do we control that access? There weren’t a lot of good answers at that time. We did have LDAP. We put an LDAP service on there, but understanding what people in that LDAP should have access to which parts of the system we were building was difficult to answer.
The tools that were available for that level of identity management were nascent. Netscape Publisher was the first tool that enabled you to publish content in a structured manner to the Web. That was the tool we used in 1998. We did the best we could. But the identity challenges were clear, and I decided to make identity and access management a focus of mine. I realized that trying to determine who should have access to what resources were a problem that was never going to go away. We are still building the tools and the capabilities to do that.
One of the first implementations I worked on was for a federal agency that managed sensitive financial services information for the work they did in conjunction with the private sector. We built an identity and access management system for that. In those days, the only option was to roll these tools on our own. There was a product at the time, Waveset, that helped us. We used that to build custom identity management capabilities on top of our LDAP system. That was a very good starting point for extending the capabilities that commercial products could deliver for the government regarding identity and access management.
Can you tell us about the CDM program and your involvement there?
The CDM program is very ambitious. It essentially covers four aspects of security. It starts with asset management: knowing what assets are on your network and how they’re configured so that they can be secured. The second aspect is identity and access management. Primarily, we are focused on identity governance and some of the essential measurements that are important to measure for governance. Finally, network security management is a broader domain, and it has more interconnected parts of network management, such as incident response when something is going on. Finally, there is data protection management. I mention that last because you need all of the other aspects I mentioned — asset management, identity management, and network security management — in place to protect data.
CDM is designed to cover all of that. We don’t do everything here, but we do choose essential aspects to focus upon. We provide tools for agencies to deploy to help reduce their risks around these four areas. We provide a dashboard for the agencies to look across the different types of devices and get an aggregate view of the risk in their environments. There’s also a summary of information that is available across the federal environment.
What’s the role of identity management in that program?
The first area is trust. We help agencies ensure that they’re vetting their people when they’re on the network. The primary focus is on employees and contractors, those people who are vetted personnel on the network. We also make sure that people are trained. We have an initiative called Behave. Behave is about making sure personnel undergo annual cybersecurity training.
The federal government also has a firm position around credential management. That’s primarily in the guise of the PIV (personal identity verification) card. The PIV smart card ensures the proper binding of trust to the identity of the individual. And PIV cards now extend to other authenticators or derived PIV authenticators on mobile devices and more. These credentials are always derived from a position of strength with the known identity of the individual.
The other area that we are tackling is privilege access management and the different tools that help with those challenges. Properly managing these accounts is a big challenge, especially for those administrator accounts. Ensuring those accounts are adequately controlled with the least privileges and a solid understanding of what resources they’re accessing is essential.
You mentioned that identity is an integral part of CDM. Could you explain a little bit about how identity is foundational to that program for those who might not understand?
Absolutely. I talked about how the first part of CDM is asset management. That helps to identify all the devices that are on the network. And each of those devices has people that operate them. That’s where identity comes in. The primary identity focus for CDM currently is to ensure that people are using their PIV card to access those devices and their workstations. It’s critical.
But it’s also been challenging during the time of Covid-19. That’s because some of the initial vetting we used to do in person we can’t do right now for some agencies. They are taking other measures for their vetting, and they’ve issued temporary cards that provide the same technical strength.
We are also beginning to link identity governance tools, such as SailPoint, to our privilege access management tools such as CyberArk. Those are some of the tools that agencies have acquired under CDM. That way, we can detect if people have been given privileges that they shouldn’t.
All of this identity information gets reported into the agency dashboard along with all the asset information. The asset information details what devices have vulnerabilities and if they’re patched. In that same dashboard, all the identity data regarding users within an agency is aggregated with information about what resources they can access.
I imagine it takes time to get that in place, but the benefits are high once it’s all there.
It takes a long time to build the maturity required to use these tools in an operational environment. But there is a great deal of functional value provided by using the analytical tools. You can determine when things are not appropriate for a user, such as having more access than they need.
Some agencies have been working on this problem for a decade or more. They have a fair amount of maturity. While other agencies are mature in certain areas within the agency and are still working on others. And that is a lot of the reason for CDM. CDM is trying to help them expand their mature operational capability across their agency and get an enterprise view of their users.
While some other agencies are very small, in the federal government, CDM provides a shared service for them. We hope to offer them a number of lighter-weight, more appropriately sized identity and access management services in the future.
When you look at identity management, what do you see as some of the biggest trends in the years ahead?
I think identity management continues to be an essential and central part of security. I also think the industry is moving to more dynamic decision-making when it comes to access control. This includes analytical engines that look at patterns of what people are usually doing. Those engines can then issue alerts or make decisions to stop a particular activity or ask for an additional level of authentication when they see behavior that hasn’t been demonstrated before or otherwise seems unusual. I think such behavioral analytics is going to be an essential aspect of the future.
I do like the term zero trust. One of the things that I like about that term is that you have to validate the trust.
You are responsible every time you decide to allow somebody onto a network to get information or access a resource. The decision to grant that access has to be a decision made with eyes wide open. It’s essential to look for the right signals to provide confidence that the device and the user are both known. And that if the user is using a second factor of authentication, we can have a much higher level of assurance that he is who he says he is and that he’s asking for a resource that he’s either explicitly allowed the established rules or at least we’ve seen that behavior before.
When this type of information is added together, we can make good decisions at the point of entry. We can continuously look for anomalous things. We always have to consider that something may not be the way we expect, and the system needs to adjust accordingly when it recognizes abnormal behavior.
It’s fascinating how far we have come with identity management over the previous two decades. How important does the role machine learning play in your vision?
It’s essential. When these behavioral management tools first started to come to the market, the first general was essentially role-based and dependent on coding those rules to find anomalies. But the generation from the past few years is often based on machine learning that uses analytical engines to build algorithms that seek anomalous behavior. Having an adaptive system that uses machine learning to look at common patterns is the best way to go.