New Federal Zero Trust Strategy Requires a New Approach to Create More Trust, Not Less
One of the challenges to zero trust adoption that agencies have been wrangling with is the definition. Following Executive Order 14028 to improve the nation’s cybersecurity and protect federal government networks, the Office of Management and Budget (OMB) recently released a Federal strategy to move the government toward a zero trust approach to cybersecurity. The new strategy states that “a key tenet of a zero trust architecture is that no network is implicitly considered trusted” but it’s important to understand that “zero” is only the starting point of a long-term zero trust strategy.
When implemented properly and with tools to provide proactive controls, improved visibility, and increased points of inspection, federal agencies can move beyond zero trust and create more trust.
The new strategy is sound and also aligned to what the private sector has done over the last decade. With the private sector’s success as an indicator of the proven effectiveness of a good zero trust strategy, the federal government is making progress to achieve the same level of success. There are three significant security challenges that federal agencies can overcome by leveraging a new approach to security, while also meeting the requirements of the new strategy.
User-driven Cloud Adoption Increases Risk, but This Can be Managed with Cloud Data Protection
While some federal organizations have historically been slow to move to the cloud, the shift to a majority, or at least partial, remote workforce over the last two years has served as a forcing function for cloud adoption. Moving to the cloud isn’t inherently bad – when the move is planned and executed with oversight from both networking and security teams, agencies can see many benefits including scalability, flexibility, and portability.
However, when adoption is driven by users, unchecked cloud and SaaS apps can increase risk. Since end users are often inclined to choose convenience over security, files are shared from corporate machines to personal PCs and cloud-based apps to continue working remotely. This user-driven adoption can result in massive security blindspots. The July 2021 Netskope Cloud and Threat Report noted that cloud app adoption had increased 22% during the first six months of 2021, where the average company with 500–2,000 users now uses 805 distinct apps and cloud services, 97% of which are unmanaged and often freely adopted by business units and users with no security involvement. Even for organizations deploying their own apps, they often lack visibility let alone the ability to apply adequate controls for cloud data protection.
Performance and Security Don’t Have to be Mutually Exclusive
In addition to the combination of cloud adoption and security neglect, federal agencies also face the challenge of maintaining IT performance alongside security. At the initial shift to a remote workforce, many agencies leveraged VPNs as a means for remote access to enterprise apps and data. The sheer volume of federal employees connecting via VPN, however, quickly resulted in latency issues and performance degradation. In turn, this resulted in employees turning to unmanaged instances of cloud applications for file transfers—connecting to the network by VPN just long enough to get the files and data they needed, then transferring the files to their personal PCs. This challenge not only put agency missions at risk but also significantly increased the attack surface and security risks.
While legacy approaches to security often means a degradation in performance, modern approaches and tooling can make security and performance mutually inclusive for federal agencies. Agencies can leverage Security Service Edge (SSE) to boost business productivity and agility for a faster user experience and optimized application performance. SSE also enables peering with web, IaaS, and SaaS providers for fast, low-latency on-ramps and inline security traffic processing close to users.
Agency users need to get their data fast and the network has to be reliable. If security is slowing down access or operability, productivity suffers and users may unknowingly or unintentionally trade off security controls for network speed and reliability. Moving security controls to the cloud might seem like the obvious and easy fix but ultimately the cloud ends up traversing a place chocked full of security perils—the internet—that can cause a whole slew of issues in routing and exposure. This is where SSE can ensure a smooth and efficient path from the end user to their destination and back again.
You Can’t Protect Your Data if You Don’t Know Where It Is
Many federal organizations are struggling with how to effectively maintain visibility of their assets and data. In the old world, a file that required signature by three separate users might simply be uploaded to a shared drive, or at worst, emailed several times to each user. In today’s world, however, that same file might originate on the organization’s enterprise network only to then be sent to a remote user who receives the file at their corporate email address. However, since DocuSign isn’t an enterprise-approved app, they forward it to a personal email account so they can digitally sign the file with their personal DocuSign account. They then forward the file on to the next user who needs to sign. The second user follows the same procedure, only they accidentally forward it from their personal email account to the third user. The final user signs the file as requested from their corporate address but is also running Windows XP and hasn’t been patched since 2008.
In this one small series of transactions, there are multiple opportunities not just for the data to be lost, but also for malicious code to be embedded within the data when it’s delivered back onto the federal enterprise network.
While some legacy tooling might flag the return file, it likely won’t offer a real-time action to mitigate the risks. And chances are, even if it did, the security team in this scenario would likely be so inundated with other similar flags that this one would just become part of the constant security noise and go unchecked.
In 2020, 83% of users accessed personal app instances from managed devices each month. Personal app instances pose a data security threat when users upload sensitive data to them: the organization loses control over access to the data, making it more prone to exposure or misuse. Agencies can leverage SSE as a part of a modern, cloud-smart and data-centric approach to ensure security follows data whenever it goes and maintains real-time, context-rich awareness of agency data.
Agencies Can Leverage a SASE Framework to Create More Trust
In order to meet objectives laid out in the new strategy, agencies need an approach centered on securing the edge. With traditional perimeters now dissolved, the edge is wherever agencies execute the mission—wherever agency data resides. The approach agencies should employ is Secure Access Service Edge (SASE), a cloud-based architecture that delivers network and security services meant to protect users, applications, and data. To ensure the successful journey to a SASE architecture, agencies must also leverage Security Service Edge (SSE), a term defined by Gartner referring to the evolving security stack needed to successfully achieve a SASE convergence, including technology capabilities such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Firewall-as-a-Service, and Zero Trust Network Access (ZTNA) that are core requirements for that stack.
Such an approach is the only way to ensure that agencies maintain visibility of mission-critical data and verify then trust. An approach centered on the logic of trust, then verify increases risk and drives exponential security problems for agencies because verification is too late.
SSE isn’t a standalone silver bullet—however, it can enable agencies to close the security gaps that have been created by new ways of working in the federal government and it allows for the implementation of the controls to achieve the visibility required to meet the goals of the new federal strategy. Much in the way that a new agency mission or changes to an existing mission can introduce new risks, the new ways that agency data is now accessed remotely introduces new risks and requires a new approach that not only improves security, but also creates trust.