Taking a Zero-Trust Approach to Cybersecurity
Cyber breaches have become increasingly devastating over the last few years, with damaging effects extending into the day-to-day operations of the federal government. Though remote work has become a societal norm and less of a business perk, organizations continue to become more and more vulnerable to cyberattacks. Federal cybersecurity personnel must continuously ascertain risk levels to ensure that users can be trusted. If the user’s risk level is not constantly checked, an attacker who had previously gained access to the system can easily maneuver around the agency’s networks far and wide without being detected.
The Biden Administration is prioritizing this issue, implementing a first-ever policy dedicated to addressing the need for a major overhaul of cybersecurity processes across all federal agencies. The executive order, signed off on May 12, provides guidance and timeframes for public and private organizations alike to implement important technology and process improvements. In September 2021, the Administration further pushed on this notion with draft guidance instructing federal agencies to adopt the tried-and-true cybersecurity philosophy of “trust no one,” otherwise known as the zero-trust approach.
Zero-trust views any user, device and application as a potential threat, requiring repeated verification and limiting user access on an application-by-application basis. It does not grant every user privileges across the network, and links verified identities of user logins to only the specific applications they use for their operations. This tremendously reduces the occurrence of cyberattacks aimed at infiltrating entire networks through one illegally infiltrated account. This is a major stronghold in the cybersecurity field, but does require intensive “back-end work” with a professional IT team. For a dimension as wide as the government’s scope, this could mean mapping access control for hundreds of thousands of applications to millions of users across the nation.
Given a deadline of September 30, 2024, federal agencies are being required to establish the following practices and protocols to improve their cybersecurity infrastructure:
- Create an inventory of all user devices;
- Encrypt networks;
- Implement a single sign-on authentication protocol for secure logins;
- Treat all applications as Internet-connected; and
- Improve data monitoring across computer networks.
While it’s relatively good to see the federal government making essential and impactful moves towards strengthening cybersecurity – especially in a post-COVID world where remote work is becoming more globally embraced and has forced many private-sector businesses to become familiar with and implement zero-trust network access (ZTNA) technologies – the demanded timeline, compared to the (lack of) availability of ample resources, for adoption of these protocols is rather aggressive and out of reach for many. An effective Zero-trust strategy must be able to cater to all potential access points, from the endpoint view all the way to the cloud.
It’s vital that federal agency leaders comprehend what exactly is necessary for the implementation of Zero-trust, with key emphasis on the loopholes that may render efforts ineffective and prevent a successful government transition to Zero-trust.
by LaShaune R. Littlejohn of Phoenix Star Creative LLC