Several years into the drive for zero trust cybersecurity, the government has a long way to go. But zero trust is helping agencies modernize too.
Sean Phuphanich, a principal technologist at AWS, put it this way: “The push for zero trust has gotten stronger. But at the same time, I see agencies dealing with a lot of different challenges.”
Many of the challenges stem simply from the “immense breadth of government — all the different teams, all the different departments, the technical debt,” Phuphanich said during Federal News Network’s Accelerate Together: Zero Trust 2025.
Defining the cyber building blocks of modernization
While no one has found a one-size-fits-all solution to zero trust, agencies have active projects to validate solutions. Phuphanich cited 18 pilot projects going on at the Department of Defense leading to implementation of multiple zero trust solutions.
However, moving from pilots to protecting the entire agency presents different challenges. “Then you have to be able to scale across hundreds of teams, thousands of workloads,” he said. “That’s really where a lot of the stumbling blocks come into play because then you’re dealing with a lot of different teams, different environments, different tools.” A pilot that doesn’t factor in scaling from the beginning is less likely to succeed.
Addressing another aspect of complexity, Phuphanich contrasted the often heterogeneous and generational nature of home-grown infrastructure sets with the relative simplicity that cloud environments can bring to zero trust implementation
“The cloud was originally built as this on-demand resource,” he said. “It’s very consistent. It’s built off of application programming interfaces and services, so you don’t get all this diversity that you get when you’re managing data centers across 5,000 locations.”
The cloud approach, by offering a consistent set of APIs, eases development, testing and run-time deployment of applications, along with the associated security measures. Phuphanich contrasted that with what he called the inefficient expansion of hardware and “bottlenecking” that happens with legacy hardware in on-premise data centers.
“Cloud lets you bypass a lot of the constraints you would typically have on premises,” he said.
Cloud as federal cybersecurity enabler
Under a shared responsibility model, AWS provides security of the cloud while customers are responsible for security in the cloud. AWS also offers services authorized for FedRAMP and allows agencies to deploy additional tools to protect their own workloads.
“Security in the cloud — monitoring your environments, setting up your identity, protecting your devices — all of that is going to be the responsibility of the customer,” he said. But deploying cybersecurity tools for functions like identity and access management and security information and event management (SIEM) are easier in the cloud than on premises, Phuphanich added.
“You’re not having to manage a lot of extra infrastructure,” he said, “and you have a lot of additional things, like infrastructure as code, that make it something that’s very easy to repeat across a number of different workloads and environments.”
There are still challenges customers will experience with any environment. AWS is eager to help the government and other large organizations solve these challenges, Phuphanich said. That pursuit has led AWS to establish partnerships with a range of software vendors “to basically address all of the different pillars of the DoD zero trust framework as well as the Zero Trust Maturity Model when we’re talking about federal civilian agencies.”
Zero trust architecture, Phuphanich pointed out, has many familiar security elements such as SIEM; security orchestration, automation and response (SOAR); multifactor authentication (MFA) and federated identity management. “We looked at how we as AWS could serve those functions,” Phuphanich said. “And then we also looked at how the partners that operate on AWS serve those functions.”
A critical element was ensuring that collectively, AWS and its partners could offer agencies more than something that merely checked the box on the requirement, he said. “Can we also provide the best capability in terms of leading to stronger security outcomes for customers?”
Security partners offer a key advantage because their tools work both on premise and in the cloud, Phuphanich explained. This flexibility creates economies of scale in training, deployment and maintenance since partners can serve more customers across different environments. The larger adoption footprint gives federal agencies more leverage in pricing. The ability to provide a consistent toolset in a hybrid cloud environment allows security teams to support both environments and eases the migration path to cloud.
Cloud accelerates security modernization with zero trust
Cloud use can accelerate general modernization efforts with managed services and on-demand resources. Add in cybersecurity services and partnerships, and now agencies can accelerate zero trust as a critical part of agencies’ security modernization.
“Zero trust in itself is a security modernization,” Phuphanich said. “As you look to modernize, what are your objectives? You want to be more secure. You want to be more resilient. You want to improve efficiency and performance.”
That’s why, he added, “looking at zero trust at the same time as modernization becomes really important.”
To help agencies, AWS launched a program called Zero Trust Accelerator for Government, a program to accelerate zero trust adoption across the entire project lifecycle. ZTAG offers education about the value of zero trust, rapid zero trust assessments that analyze gaps in existing environments, architecture guidance, demonstrations and resources including funding support. ZTAG can also help match agencies with zero trust implementation partners.
AWS started a zero trust lab to test zero trust architectures that align with government security and zero trust requirements. Some benefits from the zero trust lab were the validation of partner cybersecurity products, not just in isolation but as part of a holistic zero trust architecture, and recorded demos of how the entire system enhances protection against threats that are a common issue for agencies today.
For example, when agencies modernize their applications for cloud migration, they often need to upgrade their security authorizations from FISMA compliance to standards like DoD SRG IL5 or FedRAMP high certification. The AWS zero trust lab has focused on testing options that support these government-required authorizations and can scale either as SaaS offerings or through infrastructure-as-code.
AWS also co-founded the Open Cybersecurity Schema Framework, a collaborative effort involving 15+ security and technology companies to make cybersecurity products more interoperable. OCSF “basically standardizes the security data schema across more than 200 of our partners,” he said. This initiative aims to simplify the integration and analysis of security data across various tools and platforms.
“For example, your identity layer and tools will be able to transmit information that your other layers will be able to understand.” This capability means the analytics layer viewed by security operations will tie together identity, device, network and applications data in a way that makes the information actionable.
Customers will “be able to achieve their security outcomes faster and easier because they’re spending less time trying to mix and match data and integrate partners,” Phuphanich said. A prescriptive approach with cooperating partners leads to more consistency and coherence across the whole system, he added. Coherence of information is an important factor in improving detection and response, not just of external threats but internal threats as well.
Agencies that use identity consistently as a foundation for their security among all the parts of their architecture will be able to implement zero trust more effectively, Phuphanich said. “Once you achieve it, it goes a long way in helping you actually protect your organization.”
Discover more articles and videos now on Federal News Network’s Accelerate Together: Zero Trust 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
