On May 12 the Biden administration signed an executive order that unveiled a whole new approach to cybersecurity. For the first time, Zero Trust was referred to as a security requirement all federal agencies need to adopt and work by.
Here are some of the highlights that pertain to Zero Trust and segmentation vendors:
Cybersecurity is a US government top national priority
The tone is set at the beginning: “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
Go Modern, Go Zero Trust
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity…The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services…and invest in both technology and personnel to match these modernization goals.”
After this, it then goes on to state that within 60 days, the heads of each federal agency must develop a plan to implement a Zero Trust architecture within their organization.
The order refers to both IT and OT
“The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT).”
Moving from detection and prevention to assuming breach
Zero Trust is a significant departure from the traditional network security models. “The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
Gone are the days of relying on perimeter-based legacy firewalls to prevent breaches. The need to handle the growing complexity of workloads moving across data center and cloud environments coupled with massive ransomware attacks have exposed the inadequacy of traditional security models.
Cloud is the platform of choice and must also be built on Zero Trust
The need to move to the cloud is stated throughout the entire order, here’s one example: “The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture.”
Migration to the cloud has to be based on the principles of Zero Trust to allow smooth migration of workloads across platforms and least privilege user access.
Critical software such As Software Supply Chain Must adopt Zero Trust And Segmentation
Agency heads must apply practices of least privilege, network segmentation, and proper configuration within the next 60 days.
Attacks of ‘pandemic’ proportions such as SolarWinds, Microsoft Exchange, and most recently Colonial Pipeline may not be as easy to launch once the least privilege approach is adopted.
‘Significant’ incidents will be investigated by a new board
The Department of Homeland Security was instructed to create a Cyber Safety Review Board to investigate and debrief “significant cyber incidents.”
This means that perhaps next time a company pays ransom such as the 5 million dollar payment made by Colonial Pipeline to the DarkSide hacking group, the payments will be made in the open, giving the public better exposure to the scale of the ransomware problem.