USCIS's cyber culture redefined by Barney, prioritizing the user experience
USCIS Embraces Zero Trust Architecture, Achieves Significant Progress
The United States Citizenship and Immigration Services (USCIS) has been making strides in enhancing its cybersecurity measures, with a particular focus on implementing Zero Trust Architecture (ZTA). This approach emphasizes automation, continuous verification of identity and device posture, and alignment with end-user goals to prevent the creation of risky workarounds.
Shane Barney, the former Chief Information Security Officer (CISO) of USCIS, played a pivotal role in this transformation. He highlighted the importance of this shift, stating that the agency program offices fully funded his request for zero trust capabilities without his presence or defence, demonstrating a clear understanding of the value of security.
One of the key areas of focus for USCIS has been automating their security processes. This drive has led to the development of a Python script that scans the enterprise at lightning speeds, finding and automatically shutting off any public records that were not supposed to be public. This proactive approach to security has been instrumental in maintaining the confidentiality of sensitive data.
The USCIS has also been working on proper network segmentation as part of their zero trust progress. This segmentation aims to limit the spread of potential threats and enhance the agency's overall security posture.
In addition to network segmentation, USCIS has been fostering a threat hunt-based culture to make better decisions with better cyber threat intelligence. This culture shift has allowed the agency to be more proactive in identifying and addressing potential security threats.
Another important aspect of USCIS's zero trust strategy is the emphasis on proper transactional monitoring and controls. This focus ensures that the USCIS network remains secure, protecting against unauthorised access and potential data breaches.
In 2015, a USCIS developer made one of its Amazon Web Services storage buckets public, potentially exposing 500 million to 600 million records. However, during the time the data was public, no one accessed it, underscoring the effectiveness of USCIS's security measures.
Shane Barney served as the CISO for USCIS for almost seven years before leaving the agency in May 2023. He believes he is leaving USCIS in a good place in terms of their zero trust progress, having successfully changed the focus from managing risk to being intelligent about risk.
Barney is now the CISO for Keeper Security, where he continues to advocate for the importance of cybersecurity and the implementation of strategies like Zero Trust Architecture. His legacy at USCIS serves as a testament to the agency's commitment to protecting sensitive data and ensuring the security of its operations.
[1] Executive Order 14028: Ensuring Adequate COVID Safety Protocols for Federal Contractors [2] OMB Memorandum M-22-09: Improving the Nation's Cybersecurity [3] National Institute of Standards and Technology (NIST) Special Publication 800-207: Zero Trust Architecture [4] Federal Risk and Authorization Management Program (FedRAMP) Zero Trust Strategy [5] National Cybersecurity Center of Excellence (NCCoE) Zero Trust Implementation Guide
- The USCIS's implementation of Zero Trust Architecture (ZTA) reflects a strategic shift in their approach to financing, where they prioritize investment in data-and-cloud-computing technology and cybersecurity, to protect sensitive data, business operations, and the industry as a whole.
- Shane Barney's tenure at USCIS saw the evolution of their business culture, with a focus on cybersecurity, including the adoption of automation, proactive security measures, and threat hunting, which have become cornerstones of the technology industry's best practices.
- As the new Chief Information Security Officer (CISO) at Keeper Security, Barney continues to champion the finance, business, and technology implications of Zero Trust Architecture, aiming to foster a safer cybersecurity landscape across various industries.
