Executive Order on Zero Trust — What it Means for Federal Agencies

United States White House

While Ronald Reagan was president during the height of the Cold War in the 1980s, he popularized an old Russian phrase that was translated as “trust, but verify.” Reagan invoked this phrase to emphasize the extensive verification procedures that would enable both sides to monitor compliance with the Intermediate-Range Nuclear Forces (INF) Treaty signed in December 1987. These intermediate-range missiles could reach their targets in 30 minutes or less and were considered destabilizing at that time.

Today, we no longer have the luxury of minutes in the cyber world. Electrons move through a network at the speed of light. A single action such as clicking on a phishing link in an email, can bring an entire organization to its knees in milliseconds. Trust, but verify does not provide an adequate response to a cyberattack. Especially as digital transformation, cloud migration, and remote work have become a new standard in our society, security teams can no longer rely on traditional perimeter-based network defenses. 

Risk Based Security (risk vulnerability assessment firm) has identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Over the last year several attacks consumed media headlines and sparked a public outcry for the government to take immediate action such as the Solorigate attack (a supply chain hack most likely conducted from a nation-state attacker) that may have impacted the US military, as well as the Colonial Pipeline breach that caused gasoline shortages on the East Coast of the U.S.

The odds of a public website being attacked are almost 100 percent. According to Cybercrime Magazine, sixty percent of small businesses go out of business within six months of falling victim to a cyberattack. For government entities, which hold highly sensitive information on things like weapon systems, clandestine operations, health information, and much more, the results of a breach can be catastrophic including significant loss of life.

Executive Order Drives Zero Trust Priorities for Government Agencies

On May 12, 2021, President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks. It specifically calls out a directive for federal government agencies to develop a plan to advance towards a Zero Trust architecture. Although practitioners are still defining a more technical and specific process for implementation, this is a huge step in modernizing U.S. government security defenses and raising awareness to all federal, state, and local organizations to make security a top priority.

A Background on Zero Trust and Why It’s Important

To properly protect your environment from a cyber breach, sustainable security policies and procedures must be established to reduce risk or prevent the attack from happening in the first place. Former Forrester researcher, John Kindervag, developed the concept known as Zero Trust (ZT). A Zero Trust model asserts that adopting trust as a response or validation mechanism is in fact a system vulnerability, even if from inside the organization. Security must be fundamental to any environment so that trust is eliminated from the system design. For example, if you receive an email from someone that is recognized in the system as being legitimate, but it comes with a strange link or attachment, should you click on the link or open the attachment? Hint: It is safer to check with the sender first, rather than assume there is no malicious intent.

Zero Trust is based on the concept that threats exist inside — as well as outside — network boundaries. A Zero Trust security model questions whether users and devices can be trusted based on their location on the network. Zero Trust embeds comprehensive security monitoring in a coordinated manner throughout the entire infrastructure to focus specifically on protecting critical assets and data in real time. This data-centric security model assumes the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are required for allowing or denying access.

NSA Guidance on Zero Trust

The National Security Agency (NSA) strongly recommends that all critical networks, government or otherwise, adopt a Zero Trust security model. While this can be challenging for today’s complex enterprise, the NSA recommends embracing Zero Trust solutions with operational capabilities that require the following:

  1. Never trust, always verify: treat every user, device, application workload or data flow as untrustworthy
  2. Assume breach: assume the adversary is already present in the environment
  3. Verify explicitly: access to all resources should be conducted in a secure and consistent manner

Organizational heads, cybersecurity leaders, network owners, and administrators incorporating the above principles into their infrastructures will protect resources and minimize data breaches when they happen.

Interested in improving your defenses and reducing risk to your government agency? Watch this webinar to learn how LogRhythm’s SIEM solution can help you on your path to a Zero Trust architecture.