With high-profile cyber attacks on federal assets and critical infrastructure on the rise, the US Federal Government has shifted to a proactive posture in confronting these threats. The Department of Homeland Security’s Transportation Security Administration (TSA) released new cybersecurity requirements for Critical Pipeline, following the Biden administration’s recently announced “Executive Order on Improving the Nation’s Cybersecurity,” which directs the US Federal Government to move towards a Zero Trust cybersecurity architecture. What does this mean, and will this make our data any safer?
A Top-Down Approach to Reforming Federal Cybersecurity
The May 12th executive order codified what had previously been a ‘best practice’ initiative between the federal government and Zero Trust security architecture. Before May 12th, each federal government agency had been responsible for setting its own cybersecurity policy, which in hindsight may not have been the best idea, given the numerous and serious breaches that have occurred in the recent past, most notably the SolarWinds breach and the OPM (Office of Personnel Management) hack.
Prior to 2021, at least three major government agencies—including the department of defense, the department of education, and the small business administration—had already adopted Zero Trust or were putting it on their agenda. This gave them definitive advantages. Despite being a user of SolarWinds Orion software, the Department of Defense reported that they remained unaffected by the SolarWinds breach.
By mandating that every government agency adopt Zero Trust architecture, the Biden administration is poised to greatly increase the security of data belonging to US citizens. What’s more, reading the executive order text reveals a deep and nuanced understanding of Zero Trust and what it entails.
What Does Zero Trust Look Like in a Government Context?
We went through the text of the May 12th executive order to figure out how the federal government will implement Zero Trust among its many agencies.
First, Zero Trust is among a holistic set of strategies, which also include securing cloud services, centralizing access to cybersecurity data, purchasing additional technology, and hiring new personnel. All of this is good—Zero Trust isn’t a single technology, so the government will need to invest in multiple new applications and staff who know how to use them.
Second, Zero Trust implementation will begin to take place rapidly. Government agencies must submit their plans to implement Zero Trust within 60 days of the executive order—by July 11th, in other words. These plans will conform to the government’s own migration steps, as laid down by the NIST, and will be reviewed by the president’s national security advisor.
The NIST guidelines on implementing Zero Trust are extensive and could probably form the basis of a future blog from Garland. It includes a detailed scope, several use-cases which illustrate the workings of Zero Trust, a map of high-level Zero Trust architecture, and more. Even if you’ve never heard of Zero Trust before, the NIST guidelines give you an excellent roadmap for understanding and implementing the architecture.
Lastly, the executive order gives a working definition of Zero Trust architecture itself:
“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs.”
We couldn’t have put it better ourselves.
The executive order goes on to state that the Zero Trust security architecture is premised on the idea that a data breach is inevitable (if it hasn’t occurred already), introduces the concept of least privilege access, and identifies that Zero Trust must rely on granular controls. These are all excellent starting points for the creation of a Zero Trust network.
Ensuring Zero Trust Implementation Success
US history is littered with half-finished government projects, as one administration shifts focus from another. Will Zero Trust implementation succeed in helping secure federal networks?
For any new IT security project to succeed, three things need to happen:
- Establishment of common definitions
- A clear set of steps
- Strict deadlines
The executive order establishes all of these things, but there’s still a long road to travel. Government IT systems are legendarily underfunded, and in many cases obsolete. In 2015, 75% of the government’s $80 billion annual IT budget was devoted to hardware that should be at the end of life.
Government IT is older and it’s most likely from a variety of different vendors. This means that one of the big prerequisites of Zero Trust architecture—channeling information from multiple sources into a centralized location for continuous monitoring—is going to be that much harder to achieve. Either these agencies are going to have to rip and replace much of their pre-existing infrastructure, or they’re going to have to figure out better ways to integrate their security information.
Here at Garland Technology, we are a trusted visibility vendor for the US government and partner with many of the security tools they utilize. Implementing a Zero Trust visibility fabric starting with network TAPs, packet brokers and inline bypass gives government agencies the improved risk assessment, added asset visibility, reduced network complexity, and streamlined infrastructure upgrades they’ll need to build a true foundation for Zero Trust Architecture.
Looking to add TAP Visibility or traffic aggregation to your Zero Trust deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
