This content is written by Jim Richberg, the public sector CISO for Fortinet Federal.
The United States Federal government is massive and doesn’t typically make big changes with great speed, except in extreme situations. The fact that President Biden issued an Executive Order (EO) with specific timelines related to modernizing cybersecurity is an indication of just how critical changing and evolving the Federal Government’s security posture has become.
Recent high-profile cybersecurity breaches like the SolarWinds intrusion have led to the EO, which is a comprehensive plan to better secure Federal systems and protect critical infrastructure and data in the United States. Although the EO is focused on Federal systems and services the private sector provides to those networks, this infrastructure includes both public and private systems that are vital to national security and systems, which provide many essential services that underpin American society.
The EO accurately points out that “incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments.” But even the most lofty and laudable goals have to be broken down into manageable steps before anything can happen. The old saying about eating an elephant one bite at a time isn’t wrong. You have to start somewhere.
Start with Section 3
In the EO, Section 3 addresses modernizing Federal Government cybersecurity and cites a number of areas for improvement. Although the other sections of the EO are certainly important, taking the fundamental steps toward modernization outlined in Section 3 first can help move forward with progress on the requirements listed in the other sections as well.
At a high level, Section 3 of the EO states that agencies should accelerate migration to cloud technology, implement a zero-trust architecture, improve cloud security, multifactor authentication and data encryption, centralize and streamline access to cybersecurity data to drive analytics, and improve communication and training.
Although it may be tempting to look for “point” technical solutions for each area in isolation, trying to integrate solutions from multiple vendors can be problematic at best. Implementing a cybersecurity solution that is based on an ecosystem or platform approach to cybersecurity is likely to outperform non-platform point solutions because of the interoperability and synergy among solutions that a platform offers.
Fortunately, integrated solutions exist that can address each of the EO requirements: zero trust architecture, cloud security, multifactor authentication, and communication.
Zero Trust Architecture
In Section 3, it states that agencies must move to a zero-trust approach to security by implementing strong authentication capabilities, network access control technologies, and application access controls. Zero trust network access (ZTNA) entails controlling access to applications. ZTNA verifies and authenticates user and device identify before every application session to confirm that they meet the organization’s policy to access that application, and grants the least privilege necessary to perform the task at hand. A key element of the ZTNA concept is that access is independent of the location of the user. Users on the network should not enjoy any more trust than users who are located outside of the network perimeter or even working off the network. With ZTNA, the application access policy and verification process are the same in all cases.
Organizations should consider using firewall-based ZTNA because it consolidates and optimizes security operation and management in any environment, whether in the cloud, at the edge, or on-premises. This approach makes it possible to enforce a consistent access policy no matter where users, data, and computing resources may be located.
As more Federal agencies rely on cloud-based resources, cloud security has become a key issue. Users working from remote sites such as branch and field offices need to be able to connect quickly, easily, and reliably to agency networks and multiple-clouds. Secure Access Service Edge (SASE) combines network and security functions with WAN capabilities to extend networking and security capabilities, so users, no matter where they are located are protected by firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and threat detection functions. These protections can provide ‘work from anywhere’ capability to support hybrid operation by agencies and their employees.
Providing consistent, enterprise-grade protection across every network edge requires a security-driven networking strategy that combines security and networking functions into a unified solution. Solutions should be fast to deploy and intuitive to manage, while providing centralized visibility and control across distributed hybrid environments.
Multi-factor authentication (MFA) verifies the identity of a user by requiring them to provide multiple credentials before being granted access to network resources. With traditional password entry methods, a bad actor only has to figure out a username and password, which often are easy for hackers to acquire. MFA relies on the principle of ‘something you have plus something you know (like a UserID and password). Users must provide at least one form of identification based on something like a fob or token that generates a one-time code, making it more difficult for malicious actors to masquerade as a legitimate user. Without providing all of the required factors, the user would not be able to gain access. Combining MFA with ZTA restricts user access to only those assets required for the user or device to do their job, and nothing more.
Data Analytics, Communication and Training
To meet some of the EO’s requirements related to communication will require the intersection of increasingly mature artificial intelligence (AI) and machine learning (ML) with security platforms. An AI-enabled security platform can both minimize the likelihood of network penetration and limit the damage should a breach occur.
AI-powered instrumentation and advanced analytics can support a network of sensors that can identify normal and abnormal activity in real time, and even differentiate between merely abnormal and malicious activity. It turns what is often touted as one of cybersecurity’s greatest challenges—the growing size and complexity of the attack surface—into a net advantage, using this surface as a giant collection network capable of detecting would-be intruders before they succeed in penetrating their target. And because of its speed and accuracy, the use of AI and automation not only saves staff time, it has the potential to take away the attacker’s advantages of stealth and speed.
The smart use of AI/ML and automation can also help compensate for the cybersecurity workforce skills shortage that agencies continue to face. The improved visibility and control provided by an effective AI/ML implementation can be both global and granular, extending both around the world and down to the level of specific application processes running on a device.
Modernization Needs to Happen Now
Meeting the requirements laid out in the EO isn’t going to be easy, but it needs to happen. The best time to have modernized cybersecurity would have been years ago. The next best time is now. There’s no time to waste because cyberattacks are becoming more aggressive and more damaging every day. Hackers certainly aren’t delaying their activities and neither should we.
Cybersecurity for government: everywhere you need it. Learn more about protecting the possibilities with Fortinet Federal.