Why the Cyber EO Made Zero Trust No Longer a Suggestion
A surge in attacks against critical infrastructure have demonstrated how cyber-threats crossed over from the digital world into the physical realm. President Joe Biden responded to the rising threat on May 12 with a cybersecurity executive order. While aiming to improve the state of national cybersecurity, the EO’s focus was put squarely on increasing the protection of government networks.
After two milestone mega-hacks – the SolarWinds and Colonial Pipeline ransomware attacks — the White House issued this EO after tapping the best ideas from key federal agencies and major technology companies.
One of those companies that’s been closely working with the government is Okta. Their federal chief security officer, Sean Frazier, manages a close collaboration with the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) through the Implementing a Zero Trust Architecture Building Block consortium. The goal is to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex IT systems.
From its base in San Francisco, Okta provides identity and access management solutions. The EO is pushing both large and small government agencies to up their game, starting with the fundamentals. This explains why the EO is so focused on zero trust. Unlike traditional security strategies, focused on the perimeters, zero trust enables organizations to adapt security architecture in ways that can support new user populations, customer engagement models, cloud adoption, and internet of things or connected devices.
As digital transformation progresses in nearly every sector, and as the COVID-19 pandemic’s impacts expand, zero trust has become, for many, the security model of choice. However, Frazier is one of the lead technology executives who’s concerned that “implementing zero trust has left security leaders struggling to make some shifts in strategy and fundamental architecture” which are required by the EO.
Amidst all the bad news about rising costs of the surge in hacks there is some good news. It’s now become more widely understood that starting with identity management is a critical part of the new national cyber-strategy. Okta’s recent zero trust survey polled 600 security and business leaders from around the world on how zero trust security fits into their current frameworks and roadmaps. According to that 2020 report, 41% of organizations said they were working on a zero trust initiative or intended to start one in the near future. This year, that number spiked to 90%. And 78% of respondents called it out specifically as an area of growing priority, and are committed to increasing their investments in it.
On a regular basis, Frazier, hears it from the agency executives now working through the EO: “A zero trust approach to security is no longer just a suggestion. And, thanks to the EO, within a specific timeframe all agencies must report about their implementations.”
A growing number of those organizations succeeding in the war against hackers start with identity management. This is a critical choice because that is the “front door,” a highly vulnerable point of entry into the system.
During the pandemic, with early everyone working from home, users are accessing from anywhere, to applications that are also anywhere. In that kind of world, identity must be continuously validated, not initially trusted. Building up connective tissue has to happen every time a user requests something.
Frazier’s assessment of the situation is straightforward: “when the pandemic arrived agencies went from 100 branch offices to 10,000 branch offices, overnight.”
Agencies now worry about home routers, home printers and home IoT devices — all of which have access to the network. That’s the same network on which sits the laptops getting daily use to conduct official business.
As a result of working closely with agency executives, Frazier concluded the last 18 months was “an inflection point that has pushed us to zero trust, and forced us all to think about securing the user with any device from anywhere, accessing an application which can live anywhere. When user identity is protected, the channel to the application is protected, the application is protected, and the data that it provides is protected.”
Bring-your-own-device (BYOD) was happening even before the pandemic, although agencies and organizations like to pretend that it wasn’t. Now, users are a bit more tech-savvy than they used to be, using smartphones for all kinds of tasks. Such actions may not be sanctioned, or allowed, but employees and contractors are nonetheless still doing it every single day.
Agencies sometimes struggle to fully understand what’s required in order to act effectively. Okta’s team ensures that cloud migrations are successful and safe. Frazier said that his company is positioned to do this because it “provides agencies with mission-critical tools. For example, the US Air Force needed to quickly upgrade the security of identity and access management, a shift which required moving massive numbers through critical steps”.
Okta published a case study describing how implementing their tools and integrating them into the Air Force’s directory systems provided lessons for other organizations. Frazier summed up this project up: “It’s no small feat, during a two-month sprint, to move 200 applications into the cloud, and to do that while simultaneously pushing 500,000 users to log into Okta to access applications for work and play”.
Frazier said his own advice to agencies is straightforward: “Check in with peers. Find out what others have done, using such guidance to identify best practices. Connect with the NCCoE to watch the building blocks get built. Determine which use cases fit your agency’s own needs. Security is a team sport, which means we have to help each other out. The attackers have affiliates. The attackers are organized. If we all approach this in a piecemeal fashion, and if we don’t collaborate, then we’re going to lose.”