- Create an inventory of all user devices
- Encrypt networks
- Implement a single sign-on authentication protocol for secure logins
- Treat all applications as Internet-connected
- Improve data monitoring across computer networks
The deadline: Sept. 30, 2024. While it’s encouraging to see the federal government make necessary and long overdue moves toward zero trust, particularly in a post-COVID world where remote work has already pushed many private-sector businesses toward adopting zero-trust network access (ZTNA) technologies, the timetable is aggressive and likely not feasible for many. It’s critical that federal agency leaders understand what exactly it will take to implement zero trust: the best places to start, the trouble spots that may trip up efforts, and the number one thing the administration needs to do to ensure a successful governmentwide transition to zero trust.
EASING THE PATH TO ZERO TRUST
Zero trust works by limiting user access to an application-by-application basis, rather than granting every user privileges across the network. Tying the verified identities of individual logins to only the specific applications they need for work, and nothing more, drastically narrows the ability of cyber attackers to infiltrate entire networks off the back of a single compromised account.
This is a huge boon for security – but it does require a ton of back-end work by IT teams. In a government context, that means mapping access control for tens of thousands of applications to millions of users across Washington and beyond.
Federal mandates that require all agency employees to carry ID smart cards tied to their government-owned computers go a long way in reducing this workload. It’s a form of two-factor authentication that immediately provides the identity verification piece required for zero trust. Some of the government’s biggest agencies have already taken this step – for example, the Department of Defense’s Common Access Cards. The more that other agencies do this, the easier the workload becomes for the IT teams managing the ZTNA transition.
The government should continue embracing public cloud and utilizing FedRAMP certifications to ensure that the applications running on its clouds are meeting a certain security standard. Embracing third-party vendors, instead of spending huge sums of time and money on building up their own IT systems, will also go a long way in creating a more cost-effective and efficient path to zero trust. And because these products have already been vetted, they bring a certain threshold of guaranteed security to the table already.
Taken together, government smart IDs, public cloud and third-party security products will help to lighten the load on the administration’s IT teams in making governmentwide zero trust a reality.
POTENTIAL PITFALLS
While the above steps may alleviate the government’s transition to zero trust, there are a number of potential pitfalls in the road ahead. Zero trust is a major organizational IT transformation – it’s not the kind of project that naturally pairs well with the massive bureaucracy of the federal government.
The Biden administration’s commitment to zero trust is laudable, however, it’s imperative that the decision-makers and IT teams executing that commitment are able to identify and circumvent some major potential red tape problems, including:
- Variable levels of security between agencies. The Department of Defense, for example, will have very different and more advanced security measures in place than, say, the Small Business Administration.
- Varying levels of management between agencies. Will each agency have their own IT team dedicated to that organization’s move to zero trust, or will there be a team and/or point person overseeing all agency transitions simultaneously? Either way becomes very logistically difficult.
- Legacy bespoke systems that have existed for decades. It took the IRS nearly 20 years to move away from its 1980s-era mainframes because they were all bespoke systems built by contractors decades ago that contemporary employees had no idea how to manage. This situation exists throughout the entire government and requires either scrapping these bespoke systems altogether (which is very expensive) or building bespoke gateways that will adapt each of these older systems to their newer counterparts – a time-consuming, labor-intensive process that is made even more difficult when you consider the millions of application-to-user login configurations that will have to be routed through these gateways.
Perhaps most concerning of all is budget. The White House reportedly isn’t allocating any money toward this effort until next year. It will require a gargantuan level of federal spending to get this project done, let alone on time, and the longer it waits on any kind of budget, the less feasible that 2024 goal becomes.
If the Biden administration is truly serious about wanting to move the government in the direction of zero trust, this is the No. 1 item it must commit behind it. Without a substantial budget singularly allocated to this project, it’ll inevitably wither on the vine.
LOOKING TO THE STATES
September 2024 may be an unrealistic goal to expect the entirety of the federal government to have moved over to zero trust, but unrealistic goals can be good things – they help inspire action, as opposed to doing nothing at all. But even if the effort had a massive budget behind it, the amount of bureaucratic red tape and legacy complexity across agencies makes the administration’s move to zero trust an unwieldy, complex endeavor.
However the process plays out for the federal government, the White House’s mission statement for zero trust can at least have one major positive consequence: inspiring more action among the states to do the same.
We’re already seeing state and local governments pursue the cloud more aggressively, and using their own StateRAMP certification process to find secure and vetted third-party products. State governments in particular sit in a real sweet spot right now: boasting higher budgets and talent pools than local governments, with none of the bureaucratic mess of the feds. With a more efficient size and scope of government to work with, we could conceivably see many states successfully execute their own transition to zero trust by 2024 – carrying out the spirit of the White House’s mission and helping to drastically narrow government security gaps for attackers to exploit.
About Dan Schiappa
Dan Schiappa is the chief product officer at next-generation cybersecurity leader Sophos. He’s a transformational and strategic leader who orchestrates the company’s technical strategy, playing an instrumental role in architecting technologies; overseeing product management and research and development; and ensuring product quality. With a passion for education and inspiring the next generation of cyber talent, Dan also serves as chair of the University of Central Florida’s Dean’s Advisory Board, where he oversees various aspects of the school’s elite cybersecurity program.