As more governments move toward zero-trust security architecture, the most important trust to aim for is that of the people whose data is being safeguarded, Washington Chief Information Security Officer Vinod Brahmapuram said Tuesday.
Speaking during an online event hosted by Scoop News Group, Brahmapuram said zero-trust security — in which security measures are implemented on every level of a network and all devices and users are considered potentially malicious — should be included as part of any modernization effort as state governments grow more careful of online threats.
“It’s part of what we should all be doing, which is modernization,” said Brahmapuram, who is currently overseeing a consolidation of cybersecurity practices across state government.
That consolidation, which was brought on by the state’s exposure to a breach in the Accellion file-transfer appliance — that also swept up many other large organizations worldwide — makes Brahmapuram responsible for setting statewide cybersecurity standards, which all agencies will be required to follow.
And while overhauling security practices to make them more rigorous by segmenting networks, requiring stronger passwords and limiting user access may ruffle some feathers, he said Washington’s journey toward a zero-trust framework is all in the service of the state’s 7.7 million residents.
“The trust of citizens is the most important element,” he said. “You may not make some people happy along the way, but that’s what you do.”
But zero-trust security is not so much a single tool as it is a broad, policy-based approach.
“Zero-trust is not something you buy and open out of a box,” said Christopher Montgomery, the chief strategy and innovation officer for Dell’s state and local government practice and a former CISO of New Jersey Transit.
Montgomery also said that after a length of time in which governments were aggressively implementing new technologies as part of their COVID-19 responses, it’s time to put them under closer scrutiny.
“We turned things around with customers very quickly over the last 18 months,” he said. “We turned things around with customers very quickly over the last 18 months.”
Brahmapuram said that his zero-trust policy is based on balancing user identities and devices with how they interact with what he called government’s four main IT assets: the network, critical infrastructure, applications and data.
“We know how to include those technologies into our operation,” he said. “What does this all mean? We are getting better.”