Zero Trust Will Bolster Security Architecture at HHS OIG

As agencies face new security threats, the Department of Health and Human Services’ Office of Inspector General is looking to zero trust frameworks to secure its IT infrastructure.

CIO Gerry Caron said that zero trust should serve as an agency’s security architecture.

“We’ve typically done security in stovepipes. The network people would do their thing, the identity people would do their thing, but what we’re talking about with zero trust is a true integration of all our security so that it all works together because we have to make risk-based decisions … then take appropriate actions,” Caron said during an ATARC webinar this month.

President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity has accelerated efforts for agencies to develop zero trust strategies.

“I think the executive order has definitely, with a high emphasis on zero trust, made it very well known from the top down that zero trust is very important. As a result, monitoring is a big part of that,” Caron said. “This spirit of the [order] is trying to get us to a more effective place with our cybersecurity and not just compliance.”

As agencies move to the cloud, data then flows in a different direction and resides in a different location. Caron said that as agencies are monitoring their data, there must be a baseline of what’s normal.

“What does normal look like? You have to understand what normal looks like when you’re protecting data,” Caron said. “That monitoring is very important … This takes a village, and you have to get everyone bought in.”

COVID-19 drastically impacted security infrastructures and, in turn, influenced how security teams operated across the cyber landscape. Caron explained that one of the largest challenges brought on by the pandemic was the ability to conduct quick assessments of risk tolerance.

“We understood what our new risk tolerance was as a result. What we would deem as ‘too risky,’ we ended up doing because we were quickly educated and understood how to do it securely and know what our new risk factor was,” Caron said. “When people talk about zero trust, it’s always about the technology, the policy, the risk, the methodology and all the players that need to participate … that non-technical part is just as important.”

Even though HHS OIG has almost fully migrated to cloud, Caron is looking to launch new ideas and further modernize solutions to create a “true zero trust architecture.” The first step in this modernization journey is understanding the solutions inventory, landscape and architecture to understand where new solutions fit, then prioritize specific projects.

“I know where my gaps are as a result of that inventory … of different functional areas of zero trust,” Caron said. “Then what do I need? Then conduct market research to fill those gaps.”

As organizations are starting to implement zero trust, Caron noted that the foundation of zero trust is protecting data. People both internally and externally, as well as devices, must have limited access to data until organizations are able to conduct a risk assessment.

“It’s the right data to the right people at the right time,” Caron said. “If you do it correctly and follow the true principles of zero trust, you trust no one and you assume a breach.”

“A lot of people are embracing [zero trust]… but I find that there is still the education that’s needed on what zero trust truly means,” Caron said. “I  think people are starting to learn, the right people are getting involved, the [order] has senior management attention, so I think that’s a great thing.”