The recent SolarWinds, Microsoft Exchange, Ivanti Pulse Secure, and Colonial Pipeline attacks have demonstrated that traditional approaches to cybersecurity aren’t working. A robust security perimeter is no longer enough. As demonstrated in these large-scale and noteworthy attacks (as well as others), once inside the firewall, threat actors have been able to move about relatively unfettered within most networks. Things are about to change. On May 12, 2021, President Biden issued a sweeping executive order that, among other things, will rapidly accelerate the implementation of Zero Trust Architecture or “Zero Trust.”
ALWAYS VERIFY

About Zero Trust

As defined by NIST (SP 800-207), “Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated… The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.” In short, Zero Trust is built around the concept of “never trust… always verify,” and then verify, verify, verify, and verify again

 

BE PREPARED

Why Zero Trust Is Important for Every Organization

Today, most enterprise infrastructures are very complex, with multiple internal networks intertwined with cloud assets and services, along with remote workers, etc. Over the past decade or more, there has been a growing shift away from the old “moat and castle” approach to cybersecurity, as security teams have found legacy methods of perimeter-based security are less effective against increasingly sophisticated cyber-attacks. Organizations can no longer guard and protect their network perimeter alone and expect their networks to remain secure. To be prepared, these organizations and security professionals need to assume that their networks and systems are already compromised, and then focus on identifying and mitigating lateral, unhindered movement within their networks. ​ Zero Trust was developed to address this very challenge, and the recent Executive Order is expected to accelerate its adoption, specifically requiring all U.S. Federal Agencies to meet various Zero Trust milestones over the next 60, 90, and 180 days.

60 Days for Agencies to Develop a Zero Trust Plan; CISA to Issue A Cloud Governance Framework

DUE JULY 11, 2021 – Agencies have 60 days from the date of the Executive Order to develop a plan to implement Zero Trust Architecture, including migrations steps and schedules, prioritized based on the highest security impacts. Existing agency plans must be updated to prioritize adoption and use of cloud technology. Agency plans must be reported to the Director of OMB and the Assistant to the President and National Security Advisor (APNSA).   CISA must also develop a cloud-service governance framework that identifies a range of services and protections available to agencies.

90 Days for Cloud Strategy and Technical Reference Architecture Documentation

DUE SEPTEMBER 24, 2021 – Agencies “migration to cloud technology shall adopt Zero Trust Architecture, as practicable.” E.O. Sect. 3(c).  OMB, CISA, and GSA/FedRAMP have 90 days from the date of the Executive Order to develop a Federal cloud-security strategy and provide guidance to agencies accordingly. This guidance shall seek to ensure that risks to the [Federal Civilian Executive Branch (FCEB)] from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.” EO Sect. 3(c)(i). In addition, OMB, CISA, and GSA/FedRamp must “develop and issue for the FCEB, cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.” E.O. Sect. 3(c)(ii).

180 Days for Agencies to Adopt Multi-factor Authentication and Encryption

DUE NOVEMBER 8, 2021 – Agencies “shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”  To support this goal the EO states, “(i) Heads of FCEB Agencies shall provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multifactor authentication and encryption of data at rest and in transit. Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption. (ii) Based on identified gaps in agency implementation, CISA shall take all appropriate steps to maximize adoption by FCEB Agencies of technologies and processes to implement multifactor authentication and encryption for data at rest and in transit. (iii) Heads of FCEB Agencies that are unable to fully adopt multi-factor authentication and data encryption within 180 days of the date of this order shall, at the end of the 180-day period, provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.”

 

NEXT STEPS

Where to Begin

Learn how S2 addresses the requirements outlined in the Executive Order:

  • Begin creating a Zero Trust Strategy today with our rapid implementation plan.

  • Establish and implement robust and consistent security for cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

  • Plan for and migrate to Zero Trust-ready Cloud Security Engineering and Architecture to meet NIST standards and anticipated federal government guidance.

  • Implement and validate encryption standards, including network-wide multifactor factor authentication.

  • Implement automation and orchestration to enforce Zero Trust principles.

  • Implement an identity access management (IAM or IdAM) and privileged access management (PAM) solution.

  • Enhance software supply chain security.

  • Protect integrity of critical software that performs functions critical to trust.

Learn More About How We May Help Your Organization

Contact us today to create a partner on your zero trust initiatives.

Know your IMMINENT RISK

  • Please select a service offering in which you are interested in learning more.