If anything, federal agency life (not to mention “real life”) since 2020 has taught us that we can’t predict what is to come. However, we can always look back and take away lessons learned to help inform future decisions and direct long-term strategies.
Cybersecurity is no exception, especially in identifying the major shifts which are redefining the way the government defends its digital assets. With this in mind, here are the three biggest cybersecurity disrupters for federal agencies, and how they will enable a higher level of lasting protection in 2022 and beyond:
A zero trust mindset
In recent years, we’ve seen an explosion of internet of things, bring-your-own-device and work-from-home adoption, along with the disintegration of the traditional network perimeter. This has ushered in an era of dramatic technology transformation, and we must reconsider our cybersecurity approaches as part of the transformation.
Zero trust essentially “retires” traditional perimeter defense, focusing instead on moving controls down to each asset and user. By segmenting the enterprise network and its assets into small functional areas (or even individual assets) through micro-segmentation, agencies can carefully implement gates that control the areas through privileged access management (PAM) and strong user identity and authentication protocols.
Subsequently, federal security teams ensure that only approved people access approved assets at approved times to perform approved functions, i.e., the enforcement of “never trust, always verify” least privilege principles.
Seven of ten federal government IT decision-makers say zero trust has emerged as a greater priority with more apps and devices accessing agency resources. In 2021, we saw the publication of the White House’s “Executive Order on Improving the Nation’s Cybersecurity,” which directed agencies to implement a zero trust architecture. The order was followed by the Office of Management and Budget’s “Federal Zero Trust Strategy.” So we should expect this implementation to rapidly accelerate.
It’s impossible to discuss zero trust without including the modernization of identity and access management (IAM) as a key driver. It has been said, actually, that identity is the new perimeter. Because of the aforementioned technology transformation, agencies must invest in IAM solutions which orchestrate throughout disparate applications, geographically dispersed remote users and sometimes multiple clouds. These solutions also need to provide multi-factor authentication (MFA) and single sign on (SSO) capabilities throughout an agency’s catalog of end-user applications and administrative systems to seamlessly and safely allow access to their enterprise systems.
To align with zero trust tenets, government security leaders must include PAM in their strategy, to govern just-in-time rules which grant access to critical assets and rights to perform vital administrative functions to only fully authenticated users with privileged credentials, strictly during task-appropriate time frames. This significantly limits risk to the organization by narrowing the window available to adversaries to take over certain command and control functions.
Again, a push from the top should result in greater adoption of these solutions and practices: The White House executive order acknowledged the need for modernized access management, calling for the National Institute of Standards and Technology to develop guidance on the establishment of “multi-factor, risk-based authentication and conditional access across the enterprise.” And federal security executives already rank PAM as one of the leading approaches in reducing successful attacks, minimizing breach impact and shrinking the attack surface.
Cloud first – and last
Of course, the cloud is nothing new. The acknowledgment of cloud adoption as a technology strategy began with White House’s 2010 publication of the “25-Point Implementation Plan to Reform Federal Information Technology Management,” which directed agencies to shift to a “Cloud First” policy by identifying three “must move” services and migrating them within 18 months. The 2018 “Cloud Smart” strategy updated this.
Yet, we should still consider the cloud as a disrupter, particularly for the many agencies which haven’t fully embraced the robust, on-demand, low-maintenance benefits of software as a service (SaaS). In doing so, they are limiting themselves to the shrinking catalog of solutions being offered and supported for on-premise deployments. Over the next couple of years, we can expect this resistance to give way to more universal adoption. In fact, federal cloud spending is projected to reach $8.5 billion in fiscal 2023, up from $6.1 billion in fiscal 2019.
At the same time, cloud-based security offerings are evolving and improving at warp speed. This should accelerate with the Federal Risk and Authorization Management Program (FedRAMP) incorporating cloud security controls from NIST which address zero trust and the supply chain. In addition, because the whole world is moving to the cloud (especially in the post-pandemic, WFH era), agencies will have to transition to “cloud first – and last” strategies in making security investments.
Cybersecurity has never been about anticipating everything, as there will always be new, unforeseen attacks. That’s why it is essential to leverage disruption as an enabler of new strategies to fortify agencies from both the expected and unknown. By investing in modernized IAM and cloud solutions while vigorously enforcing zero trust, government leaders will build a layered and effective response to anything that awaits them, for the year ahead and the indefinite future.
Sarah Hensley is vice president of cloud solutions at Merlin Cyber.