On May 12, 2021, the White House published an Executive Order (E.O.) on improving US cybersecurity. The third section of the directive, entitled “Modernizing Federal Government Cybersecurity,” highlighted Zero Trust security as a key element of this overhaul.
Specifically, the E.O. commanded the head of each Federal Civilian Executive Branch (FCEB) agency to “develop a plan to implement Zero Trust Architecture.” It also emphasized the importance of Zero Trust for cloud security, noting that “the migration to cloud technology shall adopt Zero Trust Architecture, as practicable.”
What exactly do we mean by Zero Trust?
Zero Trust requires a bit of reverse engineering to be fully understood. Its fundamental concept is that no entity should be trusted automatically. In addition, there are no binary decisions about whether an account or resource should be trusted or not on a permanent basis. Instead, there should be continuous validation and assessment of all active entities in your environment.
Context sits at the center of this methodology. Zero Trust is about giving context to identity validation. As such, organizations need consistent and continuous validation based on an identity’s context to uphold Zero Trust on an ongoing basis.
This framework ties into something that stood out to me in the Executive Order: the centrality of identity and access management (IAM), identity protection and encryption to the guidelines articulated by the federal government. Per the White House’s own recommendations, organizations need to treat identity protection and IAM as core elements of a strong Zero Trust security foundation.
Why is access management so important?
IAM is all about establishing digital identities and managing the lifecycles of those identities for access and auditing purposes. Once those identities are granted access, security teams still need to validate that the user accessing an application is who they claim to be and not an imposter. Authentication plays a key role in this validation process.
Access management and modern authentication facilitate the context-aware identity validation mentioned above. Using a variety of devices devices, your users access numerous applications, delivered from the cloud, on premises, in virtual environments and more.
Therefore, your infosec teams need a smart way to validate identities for users working across multiple applications — one that doesn’t overburden them by forcing them to authenticate every user every time.
With IAM and access management, security teams can enforce authentication and enable Single Sign-On (SSO). Those controls balance an optimal user experience with robust, innovative security.
Where will these security initiatives go?
Because of the new, tangible federal guidelines around building a Zero Trust environment, I anticipate that many FCEB agencies will now be more proactive with their own Zero Trust programs, as they have a more solid idea of what to do next.
And, I doubt this will happen only in the government. There will be a ripple effect into different sectors, a phenomenon we tend to see in all things regulatory. Salesforce, for example, will require customers to log onto its platforms using Multi-Factor Authentication (MFA) beginning on February 1, 2022.
One key factor to note is that the National Institute of Standards and Technology (NIST) will continue to be involved in developing Zero Trust architecture guidelines. All government entities turn to the NIST cybersecurity framework for crafting their security programs, but so do many organizations in the private sector. While those organizations are not mandated to follow NIST requirements to the letter, they can adapt them to their IT environment as they see fit.
With that said, I anticipate the E.O. guidelines will ultimately be picked up across all industries. This will lead to an alignment of industry-specific best practices and compliance requirements in the years to come.
This is all good news, as it will lead to greater standardization of security practices across industries. It will also help to motivate less tightly regulated industries to be more proactive and effective about implementing access security.
How can I uphold the E.O.?
The six-month timeline to implement the recommendations contained in the E.O. is a tight turnaround that requires a pragmatic, feasible approach.
It’s not suitable for you to rip and replace existing technologies; instead, you’ll need to build on and augment what you already have in place with strategic improvements. And, the best way you can shore up your security is to rely on cloud-based services and make sure those services integrate smoothly and flexibly into your existing environment.
That being said, there’s no need to feel intimidated by the E.O. It’s a blessing in disguise, as no organization wants to wake up and find out that they’ve been breached.