Understanding Zero Trust in the Cyber Executive Order for Federal Agencies
Like many before him, President Biden seems to recognize that a crisis presents both danger and opportunity. Facing a barrage of high-profile cyberattacks, the President’s recent Cybersecurity Executive Order also illustrates the profound opportunity in front of his administration to improve the Federal government’s cybersecurity posture by an order of magnitude.
Exploits such as SolarWinds and the DarkSide ransomware attack on the Colonial Pipeline have disrupted national critical infrastructure and put the privacy and safety of millions of individuals at risk. These attacks and others like them also encourage cyber criminals to step up their efforts given the apparent ease with which these targets can be attacked in the name of espionage and profits. Security is no longer keeping up.
The White House’s Cybersecurity EO is therefore refreshing, both in the rigor with which short-term deadlines are imposed, and the clarity with which some clear-cut plans of action are described. Looking more broadly, the order highlights many specific areas of interest, not only for Federal government security, but also for how we should be thinking about security and network architecture everywhere –for every business and government agency, at every level.
Effective Zero Trust Approach Must be Data-Centric, Cloud-Smart
At the highest level, the Executive Order emphasizes that Federal agencies must migrate to cloud services and Zero Trust security concepts.
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must … [increase} the Federal Government’s visibility into threats, while protecting privacy and civil liberties,” the order says. “The Federal Government must … advance toward Zero Trust Architecture; accelerate movement to secure cloud services… centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
The order also makes it clear there is no time to waste. Agency heads are required to develop plans to implement Zero Trust Architecture within 60 days of the order, and then report on their progress. This is powerful, especially because it insists that Zero Trust principles be applied as part of a security architecture – exactly as our most secure business customers worldwide are already doing.
Judiciously applying Zero Trust also means we must go beyond merely controlling who has access to information, and move toward continuous, real-time access and policy controls that adapt on an ongoing basis based on a number of factors, including the users themselves, the devices they’re operating, the apps they’re accessing, the threats that are present, and the context with which they’re attempting to access data. And that must all be done in a world where users access data from where they are – working from anywhere to stay productive.
Despite the nascent popularity of the term Zero Trust, the big miss on many Zero Trust security initiatives is that they aren’t focused on data protection. Data protection is ultimately about context. By monitoring traffic between users and applications, including application programming interface (API) traffic, we can exert granular control. We can both allow and prevent data access based on a deep understanding of who the user is, what they are trying to do, and why they are trying to do it.
This data-centric approach is the only effective way to manage risk across a mix of third-party applications and a remote-heavy workforce that needs always-on access to cloud apps and data to stay productive. The Executive Order says Federal managers must deal with threats that exist both inside and outside traditional network boundaries. Yesterday’s security and network technologies won’t even start to address the threats created by these trends.
My company is in the cloud security business, focused on protecting data using the real-time context of how that data is being accessed and who is accessing it. The Executive Order provides admirable attention to cloud security concerns, which are what we’re discussing with our customers – some of the biggest and best-known organizations in the world. Importantly, the order also discusses cloud security issues as current issues; no longer is the need to secure cloud infrastructure something seen as “off in the distance.”
And I should commend some Federal CIOs – representing Commerce, the U.S. Patent and Trademark Office, and the Defense Department – who joined us this week at our headquarters in San Jose to explore commercial best practices and emerging SaaS-based cybersecurity technologies that help expedite cloud adoption. Our roundtable discussion allowed community leaders and cybersecurity vendors to hear from Federal CIOs about the pain points of the order and the specific challenges they’re facing across their agencies, and it provided agency leadership with the opportunity to witness firsthand the power behind a true security platform and the value of integration across vendors. I strongly believe this type of continued partnership across public and private sectors will be critical for agencies to successfully and effectively adopt Zero Trust and meet the requirements of the order.
The question now is what the rest of us can do to help the agencies realize and implement the more secure systems that our national security demands. There’s work to do for Congress, for companies like mine, and for states and localities all across the country.
Congress must do at least three things: 1) provide oversight to ensure that agencies follow through; 2) provide robust funding to strengthen and enlarge the Federal cyber workforce; and 3) work with stakeholders to modernize contract language that will identify the nature of cyber incidents that require reporting, the types of information regarding cyber incidents that require reporting, and the time periods within which contractors must report cyber incidents.
Contractors like Netskope that provide cybersecurity services need to be part of that discussion on contract language. But we also need to work with both Congress and the Biden Administration to help those policymakers and procurement officials understand relatively technical issues, such as the use of artificial intelligence or encrypted transmissions to protect data. Through collaboration, smart decisions can be made on securing federal systems while also enabling the right access for a workforce that often accesses those systems from their home computer or mobile device. In the coming weeks, we will launch a new initiative in this regard.
Some of the most important work must be done outside the Beltway. Local education systems must make cybersecurity a core piece of the curriculum so that we can effectively encourage young people to adopt cyber careers early on and think of it as a rewarding, aspirational career path. That can and should be a new American Dream with an inspiring combination of a well-paying career with securing the nation and its cherished freedoms. It is of utmost importance to get this right for the next generation of Americans.