Zero Trust SecOps service design

Reducing risk at U.S. Centers for Medicare and Medicaid

Outcomes

Americans protected by higher application security

Developer teams engaged

%

Control statements addressed

%

Security posture increase

Observe

Case Context

The client business unit is an IT department providing cloud-based and on-prem infrastructure for 200+ application developer teams to build their apps on. These are applications that serve end users, medical providers, health systems, drug & appliance manufacturers, and benefits providers. Many applications contain personal identity and health information and are required to meet the highest standards of safety and compliance. Federally-mandated security protocols are recently required to update to the principles of Zero Trust.

The IT office works closely with governance, finance, and communications offices to serve the ecosystem of app developers. Developer teams, along with many components of the offices, are comprised of a mix of federal employees and contractors. Organizational complexity combined with multiple overlapping contract conditions create an environment that requires robust networking, planning, and communication to succeed.

Zero Trust is a countercurrent to traditional perimeter-based security practices. Published Cybersecurity and Infrastructure Security Agency (CISA) guidance helps us get better at employing accurate, least privileged, per-request access to information systems and services facing a network “assumed to be compromised”. This guidance means that every resource should be untrusted until proven otherwise. Most of what’s published on Zero Trust Architecture (ZTA) dives into the technical requirements and engineering processes that flow toward a given Zero Trust Maturity (ZTM) while offering instruction on what it may take to reach the successive maturity level. This work aimed to highlight the people side of the digital transformation equation.

Stakeholders

Application development teams, compliance managers, IT business unit.

Role

Service Design Strategist, Information Systems Technology.

Collaborators

Security Architect, Security Engineers, Governance Experts, Business Owner, Component Director.

Reflect

Design Principles

We group efforts into three areas of exploration.
People: The solution starts with the people who make it happen.
Platform: Solutions need to map to existing system opportunities and limits.
Playbook: Any intervention should be clearly documentable and explained.

Stakeholder engagement is paramount to getting any large-scale systems changes implemented. We conduct detailed customer and stakeholder scenarios to identify those areas with the highest risk and lowest barrier to change for quick wins and demonstration of concept. We roadmap the breadth of the project with editable service blueprints for agile iterative operations.

Methods

Stakeholder map
User interviews and ride-along
Archetypes and Personas
Cluster analysis
Data mining
Service blueprint
Gap Analysis
Value feasibility analysis
Stakeholder training

Software

Figma, Coda, Confluence, Jira, Dovetail, Contentful, Mural, Miro, Kumu, Excel

Act

Implementing Zero Trust principles with existing SecOps is not a monolithic operation but an ongoing and, often, a zigzag process involving identity, infrastructure, networking, applications, and more. It quickly becomes evident that moving toward a Zero Trust Architecture (ZTA) requires cross-functional, interdisciplinary collaborations between DevSecOps experts, governance specialists, and business process influencers. Operations need clear, visual, repeatable guidance to develop toward common story goals across teams.

Download the whitepaper here (pdf).

Selected artifacts from Zero(/}Trust

Bonus Material

To socialize Zero Trust, we create a type font-based logo. We can embed (/} across developer platforms and input devices. The Zero(/}Trust initiative leaves its brand mark in line. The logotype conveys all three aspects of people, platform, and playbook. The type logo reads as a fictional code command, an operation, and as a face.

ZERO(/}TRUST

OBSERVE:

System diagram, people, technology, & zero trust principles.

This map brought systems-level thinking to the various stakeholders, allowing quick visualization of the many system influences. Teams could find the right people, software, and vendors and make informed decisions, ultimately resulting in a more comprehensive, deliberate, and precise research and development approach. Click in the map area to interact.