Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The U.S. Patent and Trademark Office is taking a huge step to reduce the cyber risks from its employees.

Time and again, cybersecurity research finds the employee is the weakest cyber link. The fiscal 2020 Federal Information Security Management Act (FISMA) report to Congress said two of the top three risk and vulnerability assessments findings were directly related to employees, spear phishing weaknesses and easily, crack-able passwords. The Office of Management and Budget hasn’t released the 2021 FISMA report to Congress, which typically comes out at the end of May.

To that end, USPTO will be among the first agencies to implement a Secure Access Service Edge (SASE) architecture.

Jamie Holcombe is the chief information officer (CIO) at the United States Patent and Trademark Office (USPTO). (Photo by Jay Premack/USPTO)

Jamie Holcombe, the chief information officer for USPTO, said SASE will accelerate USPTO’s journey to zero trust.

“I think it’s the first foundational piece of the zero trust architecture that we get to actually act upon. So with the executive order, and zero trust architecture, the fact is that it’s not one product, it’s more of a philosophy. I like SASE as that architectural philosophy to ensure that we can identify users and devices, and apply the policy-base security controls, delivering that secure access to the applications and ensuring that our data is secure,” Holcombe said in an interview with Federal News Network. “The fact that SASE addresses the architecture and that philosophy around that scope is providing us the first time that we can really concentrate on that architecture and the ability to actually go into it and use products, not just one product, but products in that philosophy for ensuring SASE and zero trust.”

SASE, which is one of the latest cyber buzzwords, attempts to converge multiple security technologies for web, cloud, data and threat protection into a platform the attempts to protect users, data and applications in the cloud and on-premise.

The move toward a SASE model will help eliminate perimeter-based tools and gives security operators a “single pane of glass” from which to ensure the safety users, data and devices and apply a consistent security policy.

USPTO awarded Netskope contract that could be worth $4 million and last as long as 19 months to implement the SASE architecture.

Holcombe said by implementing the SASE architecture, USPTO will drive security to the edge instead of just the network.

“What we’re talking about is the identification of users, the identification of devices and all the things in between the OSI layers [where computers communicate with each other] to put them all together in a secure way,” he said. “Netskope’s product actually provides the ability for that architecture. But there’s a lot of other things that you need to plug and play in order to be that secure. So that’s what the edge means to me going out and securing not just one part but all the parts in an architecture.”

Risk scores driving decisions

Beau Hutto, the vice president of federal at Netskope, said this approach lets agencies apply what they know about users, devices and other factors like location to create a risk profile and then apply to in a “least privileged” way.

“The user should have a risk score. The actual device should have a risk score. The data has a sensitivity score. So being able to bring a very basic layer all of that together and what access you give to that data because really the crown jewels is the data, it’s no longer the network,” Hutto said. “When you go to protect that data, you have to understand the context in which everything’s being accessed. That is truly where least privilege zero trust architectures come into play in a significant way.”

Through SASE, USPTO is putting the employee and data at the center of the security effort. Holcombe said if they can reduce the ability of the user from clicking a link or give up their network credentials, then the agency’s cyber posture will greatly improve.

“What I like about SASE is the fact that the machine-device control plane is in the realm of the user. I’m just doing a service and I don’t care what server it sits on. But when I create that cyber secure session, what I can do that is ensure that machine-device control plane actually has the right risk profile and it’s a two-way scoring. It’s just as important for the user to be secure as the device is to be secure, and everything in between the application, the data and the network,” he said. “What I’m really trying to do is pull that scope that surface area of the user and bring it down into the technical, such that the user doesn’t have to care and that it’s more of a machine-device control plane. That’s the way we get our security done.”

Hutto added creating that platform or single pane of glass breaks down the silos that have built up over the last few decades around security.

Accelerating the move to the cloud

Through SASE, USPTO, or any agency for that matter, will capture and analyze cyber information in a more standardized, scalable and agile way.

“We’ve had the opportunity to re-imagine how our security stack can look, should it be a security stack in the cloud or as-a-service? Where the first hit that your user makes is to the service and whether they go on-premise or back out to the cloud, it’s just in a very elegant, easy, very performant solution,” Hutto said.

Holcombe said it will take some time before USPTO fully implements a SASE architecture. He said he will start with the applications already in the cloud, about 17% of all applications the agency runs.

“We are staging for about the next 17% to 20%. So we’ll have around 35% to 40% of our applications in the cloud before the end of the year. That’s from almost 3% to 4% two years ago,” he said. “Some of the applications are not there. The ones that are going to be there are in the next 20% to 30%, we’re actually refactoring them with our product design teams. We’re actually including cybersecurity and testing, and doing the continuous integration and continuous deployment in these new applications. But there’s about 30% of our applications that will never go out in the cloud. They are just too old.”

Holcombe said the more USPTO puts applications and workloads in the cloud and use DevSecOps to continually modernize them, the more it can take advantage of SASE.

“One of my design philosophies besides pushing security to the edge is also the fact that I will not deploy something until I know I can rip it out in three years. I want to replace any tool that I put in, because that is the speed in which these tools are being rejuvenated, and there’s better tools in three years,” he said. “If you design something that lasts anywhere from 5 to 10 years, you’re wrong. Design it to do what you needed to do in three years, and then look to other things to replace it. The return on investment needs to be within three years or don’t do it.”