Trust no one: VA’s mindset for the digital world

The nation’s increasingly complex computing environment constantly withstands ever-evolving attempts to hijack data resources, compromising sensitive information. In 2020 and 2021, ransomware attacks on SolarWinds’s Orion software and Colonial Pipeline’s billing infrastructure exposed significant security weaknesses in the government’s software supply chain, impacting private and federal computer systems.

To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order 14028, Improving the Nation’s Cybersecurity, “to ensure baseline security practices are in place, to migrate the federal government to a ‘Zero Trust Architecture,’ and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.”

In January 2022, the Office of Management and Budget (OMB) issued Memorandum 22-09, setting a national Zero Trust Architecture strategy. The memorandum requires federal agencies meet specific cybersecurity standards and objectives by the end of the Fiscal Year 2024 to reinforce the government’s defense against persistent threats.

Why Zero Trust?

A Zero Trust security model modernizes an organization’s cybersecurity posture by focusing on securely connecting users and devices to applications and data, not just to networks. The goal of Zero Trust is to make it impossible for bad actors to access an organization’s digital resources even if they successfully breach the network.

Previously, perimeter-based defenses protected federal government networks trusted anyone with access within that perimeter. With the increased use of telework, cloud services and “Internet of Things” devices, defending the perimeter is increasingly complex. The Department of Defense’s Zero Trust Reference Architecture cited in OMB’s 22-09 memo states the foundational tenet of a Zero Trust Model is that “no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.” Instead of blindly trusting anyone within the perimeter, Zero Trust implementations connect users to applications on an ongoing basis.

Zero Trust 101

The Zero Trust approach to cybersecurity says you shouldn’t grant implicit trust to a user based on a single successful login to a network. Zero trust follows these core principles:

• Never trust; always verify. Every time a user, device, or application tries to make a new connection attempt, that attempt is rigorously re-authenticated and authorized. It is not simply trusted because it’s coming from inside the network.
• Implement least-privileged access. Only grant users and applications the minimum amount of access rights necessary to perform their task.
• Assume breaches. Assuming initial network access could be a violation encourages teams to plan for worst-case scenarios and to build robust and tested incident response plans so that, when attacks occur, responses are rapid and well-practiced.

Successful Zero Trust implementations deliver a user-friendly experience. Multi-Factor Authentication and Single Sign On mechanisms make it easier for users to access the resources they need throughout their workday. Zero Trust also uses behavior-based analytics and privileged access monitoring to improve and personalize user access policies, leading to simplified network infrastructure and more robust defenses against cyber threats.

CIO’s vision on VA’s transformation to Zero Trust architecture

Guarding VA’s network is a priority for the Office of Information and Technology, and we are establishing a clear Zero Trust Architecture security strategy. We are identifying and executing a strong, risk-based roadmap to implement the critical pillars of this strategy by:

• Enforcing strong verification of users.
• Ensuring all connecting devices are healthy.
• Using rich telemetry and advanced algorithms to detect attacks, and to isolate and remediate potentially impacted resources.
• Enforcing least-privileged access.
• Protecting sensitive VA data as an alternative line of defense.
• Assuring the health of our IT supply chain by enforcing strict security requirements on our third-party software and service providers.
• Assuming and planning for VA network breaches.

As VA moves to a Zero Trust environment, users will benefit from enhanced authentication and monitoring practices. These enhanced practices and services will create a secure technological backbone that enables VA to safeguard Veteran data. Only through security excellence can we maintain Veteran trust and deliver high-quality, reliable IT products and services our nation’s Veterans deserve.