The Biden administration’s proposed federal budget for fiscal 2024 includes a spending increase of $12.7 billion intended for cyber-related activities within federal agencies. This proposed funding reflects the priority asserted by the administration to enhance national security and defend critical infrastructure to combat the challenges of today’s cyber threat landscape.
The proposed funding aligns with previous efforts to modernize and protect critical infrastructure, including Executive Order 14028 from May 2021, requiring agencies to assess their cyber environments and implement more robust standards. The Cybersecurity and Infrastructure Security Agency (CISA) also announced its Zero Trust Maturity Model 2.0 as a roadmap for agencies to develop and implement government-wide adoption of zero trust security architectures. Finally, the White House recently announced the National Cybersecurity Implementation Plan in July.
As the government continues to modernize, zero trust remains a top priority. Agencies can leverage this potential influx of funding to make strategic investments that achieve zero trust goals. However, to achieve or even begin the journey toward zero trust, agency leaders must insist on a data-centric approach, including the use of identity-based security to protect critical data across hybrid, multi-cloud environments.
Identity is the core of zero trust
The heightened focus on modernizing cybersecurity presents opportunities for agencies to embark on a journey toward holistic, zero trust security. Before utilizing any potential funding for zero trust architecture, however, agencies must evaluate their current environments.
Outdated security practices quickly become problematic in modern cloud environments. In traditional cloud systems, securing the network perimeter with firewalls and threat detection — the “castle and moat” approach — typically worked well to protect on-premises datacenters and private clouds. However, today’s multi-cloud environments demand an approach that shifts the point of control from physical components to data-centric, trusted identities. Identity is core to zero trust. Every entity must be authenticated and authorized before gaining access to any system.
Getting started with a zero trust architecture
Agencies can start building a zero trust architecture by first centralizing control of credentials, keys, certificates, tokens and any other secrets in their environments. From there, IT leadership and security personnel can authenticate and authorize identities to access applications and services. Security teams can also minimize time-to-live and dynamically rotate credentials from users, devices and applications to create higher-level security.
Centralizing secrets in a dynamic environment gives IT administrators tighter control and visibility across the organization, mitigating the likelihood of internal and external cybersecurity attacks. Identity-based security ensures the protection of sensitive systems and data no matter where those systems and data physically reside — a crucial step on the road to creating a robust zero trust architecture. Further, this level of control enables organizations to automate and consistently revalidate secrets, removing much of the security burden from developers.
Considerations for agencies
As agencies find gaps and areas of improvement in their cyber environments while transitioning to multi-cloud security, they may also discover that ineffective legacy systems and tools and the lack of training and development for personnel cannot support modern workflows. Federal agencies can dedicate new funding towards upskilling talent, especially through certifications and courses, but this is only part of the challenge.
Traditional organizational structures also contribute to workflow inefficiencies. Agencies can invest in building centralized functions (what the private sector calls a platform team) whose role is to help evolve IT workflows and processes into a centralized function and streamline purchasing decisions. Platform teams help to eliminate tool sprawl, siloed organizations, shadow IT and duplicative work. These teams help agencies adopt a cloud operating model that leads to secure, best-in-class, self-service infrastructure operations.
Partner for success
Zero trust is overwhelming, given the number of hurdles with compliance and authority to operate (ATO). Zero trust solutions are complex, requiring a different approach to security and unique considerations for each organization. Regulatory complexity, compliance standards and the need for faster ATOs create additional hurdles. The need for highly secure application availability further complicates the journey toward zero trust. Agencies can utilize available funding to help alleviate some of these roadblocks, working in tandem with industry partners.
Addressing the current cyber landscape and achieving zero trust security is a difficult feat for any organization. Agencies should seek out trusted industry partners to build and deploy modern, best-of-breed identity and secrets management solutions to help manage their transition to the cloud without compromising on security. Starting with ICAM policies and platform teams will position agencies toward the most efficient use of funding.
The 2024 budget proposal is a step forward in prioritizing and developing the necessary cybersecurity measures that mitigate the cyber threat and enhance national security today and into the future.