The COVID-19 pandemic forced enterprises to quickly adapt digital transformation initiatives to provide employees with additional remote working capabilities. However, in this process, security initiatives may have lagged for organizations in different sectors and industries – specifically agencies and departments in the federal space. That lag between industries and the private and federal sectors is likely to disappear soon. In mid-May, President Biden signed an executive order pointing out that “[outdated] security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model.”
While this executive order is only a few months old, talk of zero trust has been around for years. In August of 2020, the National Institute of Standards and Technologies (NIST) released its “Zero Trust Architecture” publication, NIST 800-207, which explains how agencies can use zero trust architecture to comply with federal requirements.
President Biden’s executive order gave federal agencies 60 days to create a plan for implementing zero trust. However, as this deadline approaches, many federal government workers may wonder what zero trust entails and how its precepts help agencies remain secure. Luckily, zero trust isn’t uncharted territory. The private sector has already taken significant strides toward zero trust — and federal agencies can follow its example as security leaders navigate their path to zero trust adoption.
The basics of zero trust
Practicing zero trust is not just about implementing new technology. It goes far beyond that. It requires a whole new security mindset, strategy and architecture to be successful. In the zero trust model, every user, application and device gets treated as untrusted and given only the amount of access needed to complete a job at the right time.
With zero trust, there must be a shift away from blind dependence on network security. Instead, security professionals should focus on verifying the identities within an organization — and figuring out how to secure those users, assets and resources with the help of network security tools.
Zero trust does away with this legacy perimeter defense model, in which administrators dole out standing privileges to users based on their job and whatever its requirements were at one time, along with requested access as needed. This model worked reasonably well in a world where network entry points were limited and when entitlements (aka access rights) were much more static. But that time is long gone. Today, the average employee connects to multiple networks using several devices, whether remotely or via the cloud. Entitlements, too, are much more dynamic as a result.
How the public sector should adopt a zero trust framework
Companies in the public sector have been quick to adopt a cloud-first approach to business long before it was made necessary due to remote work mandates. While a cloud-first environment has its benefits, such as driving new competitive strategies and providing enhanced customer experiences, the proliferation of cloud-based Software as a Service solutions has drastically changed an organization's security perimeter. To meet the challenges of this new security perimeter, many in the private sector have adopted a zero trust network architecture with identity and “zero standing privilege” at the center.
If your agency wants to follow suit, here are three ways you can make the shift:
1. Adopt zero standing privilege (and just-in-time provisioning)
In a cloud-first business, security is now intrinsically linked to identity. To protect the organization, one must follow, manage and track the identity and its access. An organization can no longer assume access and should instead adopt the practice of “zero standing privilege.” This means that the default state for all accounts is no access. The entitlement, which is created through just-in-time provisioning or elevating an existing privilege, only exists for the duration of the activity.
Those seeking access must first prove their identity. Then the user gets “just-enough access” to do a particular task. Finally, access is limited by time. When a task gets completed, the privileges disappear.
So how does anything ever get done? Organizations that leverage automation — through the use of AI and machine learning techniques — and follow the “zero standing privilege” rule can ensure that access requests are examined based on users' type, location, use patterns and other data. By automating this process and looking at access requests in this way, organizations can create more efficient and effective risk-based decision-making. In turn, this process lowers the chance that internal users will gain unauthorized access to sensitive data — or that bad actors will use credentials that should have expired to breach your defenses.
2. Ditch the VPN
As we’ve seen in the past, hackers see VPNs as a valuable vector for insider attacks or attacks involving compromised credentials. However, since a zero trust mindset assumes that everyone trying to gain access is untrustworthy, VPNs are no longer necessary with the emergence of Zero Trust Network Access (ZTNA) technology.
Ditching the VPN has allowed enterprises to enable remote access to apps, data and infrastructure anywhere, anytime, from any user device via the internet. Additionally, it removes the implicit trust that many cyberattackers exploit. This has been extremely beneficial for those private organizations who quickly moved to remote work at the beginning of the COVID-19 pandemic. By replacing VPNs with privileged access management (PAM), identity governance, multi-factor authorization (MFA) and ZTNA, security teams gain adaptive, precise access to better secure the remote workforce.
3. Protect essential assets in the cloud
For years, organizations in the public sector have adopted cloud-first models of security that allow them to embrace zero trust and shift to an identity-based security posture. Federal organizations should take a page from this playbook, especially since a cloud-first security model provides the agility needed for continuous innovation and real-time security improvements.
The federal government supports this transition to a cloud-first security posture — the Federal Risk and Authorization Management Program (FedRAMP) is a federal program that provides a standardized approach to security assessments and ensures that cloud suppliers’ products are secure enough for government use. Since its launch in 2011, FedRAMP has approved hundreds of companies, with dozens more in the pipeline. By choosing a technology partner that is FedRAMP certified, a federal organization can be confident that the vendor meets the highest standards in security. Typically, these FedRAMP certified vendors have risk management controls throughout the supply chain and use a zero trust architecture to identify valuable cloud assets — such as critical apps that process sensitive data — and secure every interaction.
Achieving compliance with zero trust
Biden’s executive order and the NIST 800-207 zero trust guidelines are just two of the recent moves toward improving cyber resilience. Since zero trust relies upon least privilege as its foundation, adopting this mindset across an enterprise's security posture helps to meet other compliance mandates that require it. These mandates include the Cybersecurity Maturity Model Certification (CMMC), a cybersecurity standard for suppliers in the defense industry. Zero trust and zero standing privilege will also help agencies comply with the least privilege requirements of the Federal Information Security Modernization Act (FISMA) of 2014 and NIST 800-53, “Security and Privacy Controls for Information Systems and Organizations.”
No doubt, compliance will remain a moving target, with new regulations and rules and best practices to follow at the federal, state and local levels. Luckily, establishing an identity and access management (IAM) framework as a core component to your zero trust strategy will go a long way toward strengthening the security posture and meeting compliance requirements.