There’s finally a chill in the air, and Thanksgiving is right around the corner. I for one am happy to finally be in sweater weather! 

Anyone who has worked in IT or cybersecurity for more than a short time knows that our field has its fair share of trends and buzzwords. Recently, you can’t pick up a trade magazine or read a blog post without seeing the phrase Zero Trust. You’ve probably seen it used in many different contexts to mean many different things. But what does it mean to us, and what’s the real, practical effect on how we do our jobs? Is there substance to this trend from an industry perspective or will this end up being the next buzzword that we look back on a few years from now?

Zero Trust really isn’t that complicated— it simply means that we design and build systems with less implicit access bundled in, but rather explicitly define access to resources, networks, and data. It’s a pretty basic concept, and it’s easy to see how fewer assumptions about access rights makes for more secure systems. And with the publication of the Federal Zero Trust Architecture, it has moved from an industry trend to a necessary strategy.

This simple concept can be applied across many different domains; here’s just a few examples:

• In networking, it means that we stop thinking about a traditional castle-moat network design, in which our firewall is relied on to keep out all the bad actors, and once you’re inside everything is readily accessible. Zero trust assumes there is no network edge, so all resources require continuous validation for access to be granted.
  
  
• In identity management, this means that a user’s identity becomes the new network perimeter. Authentication and authorization become more important than ever, and applications must explicitly define access based on roles and entitlements, and not just because the user has a valid NetID.
  
  
• At the system level, zero trust is really just an extension of an older practice called least privilege. How we manage elevated access rights on individual devices and groups of devices matters, and tools like LAPS, PIM, and 1Password can help sysadmins follow good habits without adding too much overhead.
  
  
• In application management, it means designing apps with more granular role definitions and not baking in access to a “default” group (especially if the group is defined as “anyone with a NetID”).
  
  
• In the public cloud, zero trust design principles have been used from the very beginning—access to any resources that you provision in the cloud must be explicitly defined, and it has always been best practice to scope that access as narrowly as possible.

One final point: it is important to think about zero trust as more of a guiding principle—like defense in depth or least privilege—and not as a binary state or a goal to be achieved. We will never really arrive at a place where we say “we did it; we’re all done working on zero trust now!”. In fact, CISA has defined zero trust as a maturity model, which should set the expectation that this is a journey, and not a destination. Every time we make a decision that removes some implicit access, and instead requires it to be explicitly defined, we make our campus a little more secure. Our zero trust journey will be hundreds of small steps, not one giant leap.

Help us get the word out! We’re hiring four new team members in four different teams. We’re trying something new — there will be a single job posting, and all applicants will be able to be considered for each of the jobs. All four positions will be at the Security Analyst II level, so we are looking for candidates that are early in their career and interested in learning on the job:

• The Cloud & Platform Security team is looking for someone who will design and implement network security solutions in the big 3 public clouds, and work closely with the cloud engineering and networking teams on topology, routing, and capacity planning from a security perspective.
  

• The Identity Security team is seeking an engineer who will help build workflows and design processes for our new identity platform (SailPoint IdentityNow), implementing technical controls around authentication, authorization, password management, multi-factor authentication, single sign-on, and federated identity.

• The Security Operations & Forensics team is looking for a security analyst with a strong background in networking fundamentals to help protect and secure our campus network. A strong candidate will have experience with segmentation, routing, firewalls, the OSI stack, along with basic scripting/programming.
  

• The IT Risk, Policy & Compliance team is looking for a detail-oriented, customer service-focused professional to join our Field Team to perform in-depth information security and risk assessments, audit readiness checks on information resources, and other risk and compliance-related projects.
  

If you know someone who might be interested, or someone you’d like to join our team, send them over to http://u.tamu.edu/security-jobs. Post an announcement on your Linkedin profile—the wider we spread the word, the better our chances at attracting great talent!

• A tabletop exercise focused on a security-related business continuity event (ransomware) was conducted in October in coordination with IT Operations, IT Architecture, and IT Engineering. This was the first tabletop exercise conducted by Texas A&M since before the pandemic. Look for more exercises like this to follow!
  
  
• Garrett Yamada presented a Technically Speaking in October about the work happening inside the Identity Security team, and the roadmap for authentication, authorization, and certificate management.
  
  
• Security Operations & Forensics onboarded 15 new Cybersecurity Apprenticeship Program (CAP) students after an extensive and competitive interview process; specialized training in cybersecurity threat hunting and other advanced topics are already starting.
  
  
• The Identity Security team has been auditing accounts as part of the SailPoint project. An access logic bug discovered that led to the successful removal of inappropriate VPN access for ~10,000 accounts.
  
  
• The Cloud & Platform Security team enabled FERPA detection in our DLP platform across endpoints, cloud platforms, and email; 103 remediations were processed in the first month alone.

Just in the last month:

• 843M malicious websites blocked; 99% of all network connections from internet blocked at firewall 
• 45B cyber attacks and malware blocked
• 252 petabytes of network data scanned
• 66k computers monitored; with 4.9B endpoint processes analyzed
• 125M mail messages scanned for spam, phishing, viruses; 70M messages blocked at gateway
• 7,795 public data shares detected and investigated
• 2.6M Duo auth events recorded across 256k active NetIDs
• 179k devices tracked in the IT asset management system

I want to thank each one of you for all your hard work and dedication; your efforts do not go unnoticed. I encourage you to share your thoughts and suggestions with me at any time, and you are always welcome to schedule a meeting with me. 

Adam Mikeal

Associate Vice President and Chief Information Security Officer