We live in a digital first world, where a once finite network perimeter has been replaced with an explosion of endpoints and attack vectors. The hybrid workforce is here to stay, presenting challenges with respect to remote employee onboarding/offboarding, Bring Your Own Device (BYOD) use, and insecure work environments with lots of distractions. Everything is connected to everything, and now a proliferation of IoT devices — never designed with security top of mind — are linked into the nation’s critical infrastructure. And APIs are the new dark web.
Add to this a shifting geopolitical environment that is the intensifying threat landscape, and we’re in the midst of a perfect storm for national security. Beyond “run of the mill” bad actors, the U.S. faces a very real and dire threat from nation state backed attackers, notably Russia and China. It’s unlikely we will ever know the full extent of the SolarWinds hack but I expect we will get glimpses of its impact from time to time.
Then there’s the crisis in Ukraine — the U.S. Department of Homeland Security is warning of potential retaliatory Russian attacks on critical infrastructure. The battlefield is increasingly cyber!
It is no surprise then that the White House released a Zero Trust strategy for Federal agencies this week. CISA Director Jen Easterly summed it up well:
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity. Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
Last May’s Executive Order that mandated multi-factor authentication (MFA) and encryption for federal agencies was a step in the right direction and laid the foundation for this week’s Zero Trust announcement. Zero Trust simply means “never trust, always verify” − be that a user, device, application or transaction. It’s a cybersecurity best practice So the question isn’t whether this is a good idea – it’s whether the announced Zero Trust strategy goes far enough, fast enough?
Under the order, each civilian agency has 30 days to designate and identify a Zero Trust strategy implementation lead and 60 days to draft a Zero Trust implementation plan for the OMB and CISA review. This is a serious and aggressive start. That said, implementation timelines go out to the end of 2024 and there’s no incremental budget being allocated in FY22 or FY23. Agencies are directed to look for alternative funding sources like working capital or the Technology Modernization Fund.
Can your organization get started now? Learn more about how Entrust can help enable your own Zero Trust approach.