On May 12, 2021, the Biden Administration issued a 30-page executive order. The purpose: to address serious security concerns, which have surfaced after recent cyberattacks.
The order covered numerous security issues, including moving the Federal government to secure cloud services and ensuring government agencies evaluate the software needed for their IT infrastructures, as well as the deployment of Multi-Factor Authentication, endpoint detection and response, and encryption.
In addition, Biden’s order called for the adoption of Zero Trust architecture.
“For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money,” explained a senior administration official. “Instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ be the status quo under which we operate.”
The Executive Order’s goal is to modernize the government’s IT infrastructure, while developing standards to help minimize the damage caused by serious cyberattacks, such as SolarWinds and the Colonial Pipeline.
One main takeaway from the order is the prioritization of Zero Trust. In order to ensure security when implementing cloud computing environments and services, the order mandates that within 60 days, agencies must develop a plan to implement a Zero Trust architecture.
“What this does is incentivize federal agencies to adopt Zero Trust within their own on-premises technologies,” explains John Kindervag, a former Forrester analyst who developed the Zero Trust security model in 2010.
“It also creates a Zero Trust mindset in how they can approach their on-premises technologies and when they move to the cloud.”
He adds, “The challenge is going to be in developing a plan. That will be a challenge for everybody because the first thing they need to do is determine what you need to protect—and that takes longer than 60 days.”
According to Kindervag, taking incremental steps toward deploying a Zero Trust framework is preferable—instead of attempting to tackle everything at the exact same time.
The executive order highlighted several key elements related to Zero Trust, including:
- Agency heads must apply practices of least privilege, network segmentation, and proper configuration within the next 60 days.
- Attacks of pandemic proportions, such as SolarWinds, Microsoft Exchange, and Colonial Pipeline, may not be as easy to launch once the least privileged approach is adopted.
- Migration to the cloud must be based on the principles of Zero Trust to allow smooth migration of workloads across platforms and least privilege user access.
The executive order was met with approval from many, including Reps. Bennie G. Thompson, D-Miss, and Yvette D. Clarke, D-NY. “Cybersecurity is a national security issue, and we commend the Administration for prioritizing it that way,” they explained. “From the SolarWinds supply chain attack that gave Russian actors access to federal networks to the Colonial Pipeline ransomware attack that temporarily shut down 5,500 miles of gas pipeline, cyberattacks jeopardize our national and economic security.”
Thompson and Clarke added, “If nothing else, the cyber incidents that have occurred over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President is just that.”
For organizations looking to adopt Zero Trust architecture, OneLogin offers numerous tools to support Zero Trust.
Tools for Zero Trust Security
SSO improves both security and ease-of-use, eliminates passwords, and uses a vetted trust relationship for safe authorization. In addition, MFA adds an important level of security by requesting additional data from users to verify they are actually who they say they are.
Add to this a good identity management system that provides:
- Role-based access control and easy provisioning capabilities
- A system that takes into account device trust during the SSO process
- Preferably, risk-based authentication that accounts for contextual information, such as the user’s location, IP address, and login time to create user profiles and challenge risky login attempts
These tools, on top of a secure infrastructure with micro-segmentation, will help organizations implement Zero Trust security in a way that isn’t burdensome to users.
Additionally, OneLogin’s Delegated Administration tool enables organizations to adopt the Zero Trust principle of least privilege access. By empowering admins to easily delegate access on a granular level, organizations can balance productivity requirements with the need to aggressively protect their organization against security threats.