The breach of the U.S. Office of Personnel Management (OPM) in 2014 and 2015 was a cybersecurity wake-up call, not just in the government sector, but across private industry as well. The breach bared deep vulnerabilities in existing cybersecurity models and exposed security clearance background investigation information on approximately 21.5 million former and current government employees.
For Tony Scott, who was federal CIO when the breach was discovered (but after it had taken place), this was a watershed moment, and a harsh welcome to his new job.
It was also a critical turning point in raising the awareness of the Zero Trust model of cybersecurity, an architectural model I created in 2009 while at Forrester Research. The government’s official report on the OPM breach provided specific guidance for federal agencies to promote a Zero Trust security model.
Without getting too deep into the technical weeds, Zero Trust eliminates the idea of a trusted internal network and an untrusted external network. Instead, all traffic and users are treated as untrusted. All resources are accessed in a secure manner, and all traffic is logged and inspected. Security, therefore, becomes ubiquitous throughout the infrastructure.
Tony, who is back in the private sector as CEO of the Tony Scott Group, was federal CIO at the time the OPM report was issued. Based on his experiences in the government and as former CIO of technology pioneers such as VMware, Microsoft and Disney, Tony has become an ardent supporter of Zero Trust.
I feel honored to have spent some time chatting with Tony recently and sharing our conversation with readers on SecurityRoundtable.org.
Tell us about your experience with the OPM breach and how it led you to Zero Trust.
The OPM breach happened before I joined the government, but it wasn’t really discovered until I was there a couple of months. It had the effect of focusing our attention on cybersecurity very quickly. We started looking at the root causes for the OPM intrusion and looked beyond OPM to other agencies. Is there potential for the same problem there? It was, to say the least, an eye-opening experience. It caused us to look even more broadly—how did we get here, why do we have such old legacy systems, why is security so darn hard in the federal government. That led me to a number of places and foremost was the need for Zero Trust.
What is it about Zero Trust that attracted your attention and earned your enthusiasm?
The biggest advantage is that it explicitly allows the collection and transfer of information by design, versus open models that basically let you transfer everything, including stuff that is either unnecessary or bad. The core design principle that’s built into most technology is that you can connect anything. It’s very rare that we find challenges in connecting and transferring. But what we fail to do in design is ask the next obvious question. What SHOULD we connect? Zero Trust starts to get to solving that very important second question: I can connect it, but should I connect it?
How did you come to Zero Trust?
When I was CIO at VMware, we were one of the companies that was pioneering micro-segmentation in the network space, which kind of has a Zero Trust concept behind it. So, I had already seen the benefits of that. When I started looking at the root causes of the OPM attack, I realized that most of the technology the government was using—and frankly, the same thing applies in the public sector—was designed and implemented way before there were the kinds of security and privacy concerns that we have now.
Most of technology was designed for maximum interoperability, not Zero Trust. Interoperability is great when you want it and need it, but when it comes to cybersecurity it occurred to me that this is actually the opposite of what we really want. That was really the beginning of Zero Trust for me in the federal government.
Was Zero Trust something you started right away?
OPM was an eye-opener for everybody, so we first launched a number of things to right the ship. For example, much faster adoption of two-factor authentication; reducing the number of systems administrators; reducing the number of people with privileged access. Basic hygiene to reduce the attack surface. After the initial purge, we started talking about the longer term whether there were more structural, fundamental things that could be done. Zero Trust was one of the elemental building blocks.
Obviously, Zero Trust was a new concept. How did you get people to buy into it?
The first thing is creating awareness. This is a long journey. First you have to get mindshare. You do that by talking to people through education, reinforcing the message, highlighting good examples.
Second, you see certain opportunities. The government is so big, you can’t even think of trying to eat everything in one bite. But there are new initiatives, new programs, places where significant changes are warranted. Those become the insertion points for new ways of thinking and new technology. So, initially there are key initiatives that allow you to gain momentum over some period of time.
How do you characterize the value of Zero Trust in business terms?
With Zero Trust you get a dramatically improved cybersecurity footprint at dramatically lower costs. Those are two great places to start. Of course, you have to implement it the right way, maintain and support it. But better cybersecurity and lower costs are definitely the beginnings of a winning hand.
What message would you give to a CIO or other decision-makers in business or government today about Zero Trust?
First, this is a conversation you want to have with your teams. Do you understand what Zero Trust is, the importance of it, how it can help to dramatically improve cybersecurity in your environment?
Second, if you “get it” and want to do it, what help do you need? Quite often that can be a need for funding, sponsorship, education, technology, personnel. I’ve always found that responsible leaders find ways to satisfy those needs and conditions if it’s something they truly believe in.
Third, pick your spots. Not all business cases are equal. Figure out a healthy way of prioritizing. Find the most compelling use cases. This is one of the most important and necessary steps to take early in the journey.
Thank you, Tony. It’s been a pleasure talking with you. Before we close, is there any other advice you would want to give to business and cybersecurity leaders in government and the private sector?
There’s a fundamental concept I have learned over and over again as a CIO. It’s the age-old joke: “How do you get to Carnegie Hall? Practice, practice, practice.” It’s the same in building a strong cybersecurity environment: Practice, practice, practice.
In cybersecurity, you have to build up a set of skills and an environment and do that over and over and over again. You’ll get really good at it over time. My advice to organizations with Zero Trust is start practicing as soon as possible. There’s a tendency in the industry to do too much analysis and too little implementation. I certainly favor appropriate analysis, but I say let’s focus on implementation and getting the job done.
Tony Scott is CEO of the Tony Scott Group and a Senior Advisor for Security and Privacy at Patton Boggs, a prominent international law firm. Prior to that, he served as the third federal CIO for the U.S. government, appointed to that role by President Barack Obama in February 2015. Earlier in his career, he was CIO at VMware, CIO at Microsoft, CIO at the Walt Disney Company, and CTO at General Motors Information Systems & Services.
John Kindervag is Field Chief Technology Officer at Palo Alto Networks. Previously he was Vice President and Principal Analyst on the Security and Risk Team at Forrester Research. John is considered one of the world’s foremost cybersecurity experts and is widely known for creating the Zero Trust model of cybersecurity.