By Stephen Kovac, Vice President of Global Government and Head of Corporate Compliance, Zscaler
In wake of recent high profile attacks and an evolving hybrid work environment, agencies are working to meet President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity to protect users, devices, and data.
In the recent Zenith Live virtual event, I sat down with cyber leaders from the Department of Health and Human Services Office of Inspector General, Department of Education, and Cybersecurity and Infrastructure Security Agency (CISA).
We discussed zero trust security, FedRAMP, the Trusted Internet Connection (TIC) 3.0 policy, and how agencies can achieve modernization goals and the terms of the EO.
The EO requires agencies to prioritize cloud adoption using Office of Management (OMB) guidance, plan for zero trust architectures using National Institute of Standards and Technology (NIST) special publications, and report their status to OMB and the Department of National Security Advisor for Cybersecurity.
Working to implement these modernization efforts is a journey, not a destination, as agencies work to make a culture shift towards cloud, zero trust, and new technology rather than just checking the boxes.
“Thank God for the EO, I say,” said Gerald Caron, Chief Information Officer for the Department of Health and Human Services Office of Inspector General. “I think it moves us more towards being effective overall – for our agencies to be effective at cyber – not just checking boxes.”
Mitigating Threat with Zero Trust
The EO gave agencies 60 days to implement zero trust as they shift to cloud technology to “prevent, detect, assess, and remediate cyber incidents.”
Zero trust gives agencies strong access management and security tools to prevent unauthorized users from seeing applications and sensitive data – creating a zero attack surface and giving IT teams peace of mind as they monitor their environment.
NIST SP 800-27 zero trust guidance provides a roadmap to migrate and deploy zero trust across the enterprise environment. This guidance outlines the necessary tenants of zero trust, including securing all communication regardless of network location, and granting access on a per-session basis. This creates a least privilege access model to ensure the right person, device, and service has access to the data they need while protecting high-value assets.
The NIST National Cybersecurity Center of Excellence (NCCoE) recently announced its Implementing a Zero Trust Architecture Project where best-of-breed zero trust leaders will collaborate to demonstrate several approaches to implementing zero trust architectures. This coalition will work side by side to realize the opportunity for zero trust to strengthen every agency’s cyber defenses.
“For us, when we talk about zero trust architectures, it’s not just the discussion around technologies, infrastructure, services, cloud, and all the cool things that come together to make it happen,” said Steven Hernandez, Chief Information Security Officer at the Department of Education. “It’s also a very robust discussion around data, because data is at the heart of everything that we’re driving.”
President Biden’s EO also gave agencies 60 days to begin modernizing FedRAMP, and specifically “establish a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests.”
A FedRAMP-authorized zero trust security model allows IT administrators to wrap policies around users and applications to ensure comprehensive security regardless of where they connect from, and what they connect to.
This approach reduces the attack surface and the risk of users accessing unauthorized data or applications. Additionally, IT administrators have centralized visibility to track, log, and manage all users connecting to the network on any device, in any location – a huge advantage for managing an extensive remote or hybrid environment.
Updated Policy and Modern Security for Complex Environments
The updated TIC 3.0 guidance has opened the door for agencies to adopt modern, hybrid cloud environments. This security approach will be critically important for agencies to secure their cloud capabilities and scale up and down as needed.
“The guidance offers a new security strategy for agencies to explore new opportunities, redefine the perimeter, and flexible architectures, zero trust being one of those we want to talk about,” said Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA. “New visibility is the most fundamental change in the guidance.”
As employees work in remote or hybrid environments and agencies follow modern TIC 3.0 guidance, agencies can position the security closer to the resources, having everything at one access point.
To secure access points, agencies should adopt a Secure Access Service Edge (SASE) security model, which addresses today’s most common security challenges arising from more applications living outside the data center, sensitive data stored across multiple cloud services, and users connecting from anywhere, on any device.
Following the SASE model, agencies can invert the traditional security model to move essential security functions to the cloud so users can access data and networks from any location, while security is pushed as close to the user/device/data as possible. With the SASE model, CISA inverted their services, such as the Continuous Diagnostics and Mitigation (CDM) program to secure data where it is generated, and Government Services Administration (GSA) has likewise adjusted their model of Enterprise Infrastructure Solutions (EIS) in the same way.
What’s Next as Agencies Modernize
The updated policies, authorizations, new security measures, and hybrid work environments are pointing agencies towards one initiative – cloud adoption and modernization. Now as agencies unify towards this push, they can learn from one another on this journey.
“I think we’re headed in that direction, we’re going to find ourselves there one way or another, and I think that’s a good thing,” said Hernandez. “I think that by having more people in a centralized environment, with less attack surface, better configuration, and change control – ultimately, we can learn from each other and have a body of practice around centers of excellence that do this well.”
About the Author
Stephen Kovac is the Vice President of Global Government and Head of Corporate Compliance of Zscaler. He is responsible for strategy, productizing, and certification of the Zscaler platform across global governments. He also runs the global compliance efforts for all of Zscaler. In his role, Stephen leads his team’s efforts to advance Federal IT modernization by delivering cloud security solutions through direct-to-cloud connections and zero trust security capabilities. He has pushed for cloud security reform by speaking at events, meeting with agency leaders, publishing, working on pilot programs, and working directly with the Hill. Stephen can be reached online at Twitter, LinkedIn, and at our company website https://www.zscaler.com/solutions/government