On May 12, 2021, President Joe Biden signed Executive Order 14028 to improve the nation’s cybersecurity and protect federal government networks. What’s promising about the order is that while its provisions span nine separate sections, the term “zero trust” appears a total of 11 times. While directionally sound, federal agencies are grappling with both an understanding of what zero trust is and how to implement it across their organizations in accordance with the terms of the order.
It’s absolutely critical that, despite the requirements and timelines laid out in the order, federal agencies avoid the temptation to “ready, fire, aim” and instead focus on both a short- and long-term strategy for effective zero trust adoption. From a lengthy procurement process to cultural complacency and political inertia, the government typically doesn’t adopt new technology in a very rapid manner. As a result, many federal organizations are operating on legacy tech—which also means they aren’t as secure as they could be, and they’re not prepared to implement zero trust.
Legacy Hardware Equals Vulnerable Systems
The first and arguably the biggest challenge to effective zero trust adoption is coming to terms with the fact that legacy may as well be synonymous with vulnerable, and the solutions that were put in place in years past simply weren’t built for today’s environment—and their design wasn’t based on the core principles of zero trust.
Even tooling that was purchased in recent years will likely fail to meet the requirements of a true zero trust security model—primarily because those security tools were designed with a known perimeter in mind and the primary job of those tools was to keep sensitive data secured inside the perimeter and prevent adversaries from breaching that perimeter.
But, today’s environments are perimeter-less: users, resources and data are widely distributed, making the traditional castle-and-moat approach to security largely ineffective.
Requirements Lose Relevance Over Time
A federal organization may assemble comprehensive technical requirements but it’s important to remember that just as the product that was selected based on the requirements ages, so too does the relevance of the requirements. If a security requirement, for example, was written when an agency had its own data centers and servers on-prem, but the agency has since moved all or at least a portion of its data and services to the cloud, then the requirement is no longer applicable.
Conversely, when thinking about requirements specific to zero trust, they may be written in such a way that federal organizations are expected to rapidly implement an extremely robust and mature solution—something that’s not just difficult, but unrealistic. A mature implementation takes time, especially for large government organizations.
Not All Tools Are Created Equal
Once federal organizations have resolved to retire their legacy tech and revamp their requirements, the next challenge is identifying the replacement platform solution and determining how to incorporate it into the overall agency architecture strategy. While there are a number of tools available today that market themselves as zero trust solutions, it’s essential to deeply evaluate not just the vendor’s overall perspective on zero trust principles but also their ability to deliver a platform solution that encompasses those principles in a layered approach that’s cloud-smart and data-centric. An effective implementation empowers those responsible for securing their agency with the ability to make educated security decisions rapidly and with confidence.
With those challenges in mind, there are a few recommendations that can help federal organizations adopt zero trust in a more rapid and effective manner:
Influence the Way Forward
The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency are currently seeking public feedback on guidance documents intended to move federal agencies towards zero trust. There’s no one-size-fits-all approach or solution, so it’s critical that these guidance documents are crafted with input from a myriad of federal organizations.
Keep Your Focus on Risk
It can be easy to get distracted by all the activities that are involved in a shift to zero trust, so it’s important that those responsible for implementation—and agency security overall—don’t become distracted and lose sight of agency risk. If you lose the ability to identify, measure, understand and act on risks facing your agency, then not only are you failing to adopt zero trust principles effectively, but you’re less secure than when you began.
To that end, identify and engage a consolidated security architecture group. These are the individuals who may not necessarily be security engineers, but they understand risk within your organization, they can correlate risks and events, and they can assess changes in risk over time based on both internal and external factors, decisions, and events. Engaging with these individuals early and often will help maintain focus on risk while moving through the phases of zero trust adoption.
Leverage Ongoing Initiatives
Launching a dedicated project for isolation requires dedicated time, funding and resources. While parts of an effective ZT implementation will require each of those, there are often other ongoing initiatives within an organization that can be used to accomplish portions of an overall plan for adoption. In addition to the ability to gain resources that have already been identified and allocated, projects already in flight likely already have a proven connection to business and mission objectives, and value is already being recognized across the organization. Leverage those successes and momentum to decrease the time to value for zero trust adoption; after all, it’s just as important to have a positive association with change culturally as it is technically.
Participation Isn’t Optional
OMB has outlined security maturity levels and agencies have 60 days to identify critical software, and a year to implement enhanced security measures. Agencies are going to have to balance between meeting the deadlines with proven progress and setting a fine-tuned strategy that fits the nuanced networking and security needs of the agency. Some agencies, for example, may have a higher percentage of remote workers, others may use more cloud apps, while other agencies may deal with a higher volume of sensitive or classified data—these are just a few of the variables that have to be taken into account when setting adoption strategy. While the guidance details are still somewhat uncertain, one thing that’s beyond doubt is that zero trust adoption is real and it’s no longer optional.
Mark Mitchell is principal at PJ Cook LLC.