Government Moves to Implement Comprehensive Zero Trust Security
The federal government is making concrete steps to implement zero trust across major agencies following last year’s cybersecurity executive order.
Speaking at the GovCIO Media & Research Cyberscape: ID forum, OMB Senior Advisor on Technology and Cybersecurity to the Federal CIO Eric Mill outlined the steps agencies have taken to protect against an evolving threat environment.
At its core, zero trust involves moving beyond a network perimeter-based approach to data protection and implementing a greater focus on user credentialism and authentication to either stop or diminish the reach severity of unwanted access.
Mill noted this requires anticipating that some form of network breach is potentially inevitable, and designing your approach to security around staunching the harm from malicious actors.
“What we lay out in the strategy is taking seriously this concept of least privilege, of untrusted networks, and of just fundamentally assuming compromise at some level. Assuming that pieces of your organization, your network, your devices, your applications, any piece of them could be compromised and designing your enterprise architecture to expect that,” Mill said.
While the executive order emphasizes these kind of baseline standards, it has also left considerable room for agencies to build their own cybersecurity strategy that reflects their own IT systems and access concerns.
“We do have a number of mandatory requirements in this … but it leaves a lot of flexibility within that as agencies undergo enterprise architecture reform to decide how they’re going to meet some of those things, and ultimately how they’re going to structure their enterprise,” Mill said.
Mill outlined that the executive order, and the federal government’s subsequent move towards embracing zero trust, was based on a response to recent large-scale network breaches that revealed the flaws of America’s public sector cybersecurity.
“A number of the things that led to this were in the news pretty widely. The cybersecurity Executive Order followed in short order from the Colonial Pipeline attack, and before that, the SolarWinds attack,” Mill said.
The core lesson of these attacks for policymakers and agency technologists is that not all breaches can be predicted or fully stopped against, and that instating forms of security beyond the network periphery will block malicious actors from using this unwanted access to push into adjacent networks as occurred during the Solar Winds incident.
“We won’t predict all of these attacks in advance. What it means to protect from an advanced supply chain attack as we saw with SolarWinds involves protecting one of your network boxes from being popped and then using that to rummage around other things that are inside your organization.” Mill said.
Agencies have instead moved towards an identity-based approach to cybersecurity, particularly as a means of limiting the harm of network breach.
“The identity pillar is the first pillar in our strategy. It’s sort of the first among equals because it is the foundation of much of what you can do. Some people describe zero trust as moving your new boundary to identity instead of your network router or your perimeter,” Mill said.
Going forward, Mill recommended federal agencies examine other potential vulnerabilities – including noting the potential access points in applications that are used across disparate organizations.
“Analyzing application vulnerabilities is going to be very critical for authentication systems, and I think is probably one of the places where folks are going to focus the most effort,” Mill said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Looking Back at the First Trump Administration's Tech Priorities
In his first term, Donald Trump supported cybersecurity, space policy and artificial intelligence development.
4m read -
Securing the Expanding Attack Surface in Cyberspace
Agencies undergoing digital transformation face a more intricate threat landscape and a wider threat target for adversaries looking to exploit vulnerabilities. This panel dives into strategies agencies are undertaking to safeguard these complex environments, including zero-trust architecture, vigilant monitoring and robust cybersecurity training.
30m watch -
Labor CAIO Outlines Responsible and Ethical AI Priorities, Use Cases
Department of Labor Chief AI Officer Mangala Kuppa outlined how her role is shaping the agency’s artificial intelligence strategy.
20m watch -
Elevating Cybersecurity in the Intelligence Community
The Intelligence Community is developing strategies to protect data and strengthen resiliency against emerging cyber threats.
30m watch