Ned MillerAugust 27, 2021
Cyberthreat Landscape Heats Up Federal Focus on Zero Trust Security
It’s impossible to ignore the mounting impact of cybersecurity attacks in the U.S. and subsequent federal response calling for Zero Trust security mandates and public sector partnerships. This week, Appgate was named a Zero Trust Network Access Leader by Forrester. This blog focuses on our active leadership and participation in supporting Zero Trust adoption across the government sector.
2021: The State of Cybersecurity
As reported in the Wall Street Journal this week, there were more than 1,700 publicly reported breaches in the first half of 2021 alone with more than 18 billion sensitive or confidential records exposed to date. High-profile attacks like SolarWinds, Colonial Pipeline and Microsoft Exchange compromises have dominated the headlines as well as our lives as security practitioners. And, on August 21, it was reported that the U.S. State Department was reportedly hit by a serious cyberattack, the details as yet to be revealed or confirmed.
What’s more concerning is what the media isn’t reporting now, not to mention future unknown events. Any sophisticated nation state attack could negatively impact our everyday lives at a scale that would turn the Colonial Pipeline impact of a two-week gas shortage on the East Coast into a minor inconvenience.
Government Response: Executive Order 14028 on Improving the Nation’s Cybersecurity
On May 12, 2021, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity aimed at mandating “significant investments” to protect against malicious cyberthreats. It states, “The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid … security must include systems that process data (information technology) and those that run the vital machinery that ensures our safety (operational technology).”
The executive order also says the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
Additionally, the order requires federal agencies to develop a plan to adopt a Zero Trust architecture. It’s the prescribed solution to our challenges and federal leadership is fully behind it.
The Role of Zero Trust Architectures
The National Security Agency (NSA) succinctly describes the foundational philosophy of Zero Trust: assume a breach is inevitable or has likely already occurred. With this model, you must restrict user access to only what is needed at that specific point in time and continuously look for anomalous or malicious activity. Elements of a Zero Trust model include:
- Continual and comprehensive security monitoring
- Granular risk-based access controls
- Coordinated system security automation throughout all aspects of the infrastructure to focus on protecting critical assets (data) in real-time within a dynamic threat environment
This security model calls for least privilege access to be applied to every access decision. Access to resources is allowed or denied based on the combination of several contextual factors.
Appgate and others in the vendor community are rapidly reacting to the accelerated interest in Zero Trust by providing best-in-class capabilities and a vision for the future. Industry analysts are also busy rating Zero Trust solutions to help organizations faced with too many choices. A few select vendors are shaping the leaderboard, including Appgate SDP, which was just positioned highest for current offering and named a Leader in the Forrester New Wave™ Zero Trust Network Access, Q3, 2021 report.
The Government’s Cybersecurity Ecosystem Responds
The government’s cybersecurity ecosystem and its authoritative sources at the U.S. Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the National Security Agency (NSA) and the Department of Defense (DoD) have been extremely busy reacting to the increased cyberthreat landscape. In the last six months alone, the NSA released guidance on Zero Trust security models, the DoD released Zero Trust Reference Architecture and NIST announced its National Cybersecurity Center of Excellence (NCCoE) Zero Trust project focused on Zero Trust architecture use cases and vendor interoperability.
Cybersecurity and Infrastructure Agency (CISA) leadership also acknowledges the importance of Zero Trust and the fact that—although the government should make meaningful progress on Zero Trust implementation over the next 12 months—it will take years of continued focus and investment.
Meanwhile, EO 14028 directs the OMB and CISA to work together with the General Services Administration’s FedRAMP program office to develop a federal cloud security strategy to accelerate Zero Trust adoption. Happy to hear they are attempting to accelerate the plan as our adversaries read “it may take us years to be in a better place than we are today.” As always in cybersecurity, time is of the essence and attackers never rest.
How is Appgate Helping the Government Implement Zero Trust?
Appgate is one of only 18 companies selected to participate in the NCCoE Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and building Zero Trust architectures. This public-private partnership is applying standards and best practices to develop modular, easily adaptable cybersecurity solution examples using commercially available technology. Appgate is working with NIST to deliver three primary outcomes for this effort:
- Demonstrate example implementations of a Zero Trust Architecture (ZTA), using commercially available technology components designed and deployed according to the zero trust concepts and tenets described in NIST Special Publication 800-207, Zero Trust Architecture.
- Demonstrate various types of user access to enterprise resources (e.g., data sources, computing services and IoT devices) spread across boundaries, from one premises to multiple cloud environments, all confined by policy-based security constraints orchestrated by leveraging zero trust principles and approaches.
- Publish an NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge
(We have several reference materials on accelerating the adoption of Zero Trust architectures. See additional resource URLs below.)
Appgate is also working with the DoD in its efforts to leverage Zero Trust architectures, specifically to provide secure authorized access to multi-cloud commercial cloud environments as well as legacy resources and data centers. In February 2021, the DoD, with the Defense Information Systems Agency (DISA) and NSA, released Zero Trust Reference Architecture v1. And in July, the DoD CIO’s Office released the Cloud Native Access Point (CNAP) Reference Design v1. Both documents are well worth the read to understand the DoD’s objectives for Zero Trust architectures.
As the government continues its Zero Trust architecture journey over the next several years, adversaries will continue to challenge defenders with innovative, swift attacks on our critical infrastructure. Assuming you subscribe to the fact that time is a critical variable in the cyber defense equation, we must be able to adapt in near real-time to the threat of the day, hour or second. While the government is not yet moving at the speed of adversaries, awareness is improving daily and Zero Trust measures will move us closer to a day when words like proactive and predictive cyber defense are a reality.