<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

Zero Trust Memo From Executive Order 14028 (TL;DR Version)

Cyberattacks have increased significantly over the years. Emboldened by the easy access provided by remote workers connecting to unsecured networks, cyberattacks on corporate networks increased by 50 percent in 2021 compared to 2020. Those attacks were up by 47 percent in the government and military sectors. Recent research has also found that cybercriminals have become so sophisticated that they can penetrate 93 percent of corporate networks.

It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.

What Is Zero Trust Architecture (According to EO 14028)?

The Federal Government defines Zero Trust Architecture as a security model that acknowledges threats inside and outside networks. Instead of trusting any element, node, or service, Zero Trust requires everything to constantly be verified and authenticated. Essentially, Zero Trust lets users have full access, but only as much as needed, to do their jobs. This helps contain risk should a breach occur.

Additionally, Zero Trust assumes that a breach has happened or will happen. Hence, it embeds continuous security monitoring to look for suspicious activity. This is done through granular, risk-based access controls and security automation. Least-privileged access is applied for every access decision, keeping environments as locked down as possible.

Why Does the Federal Government Believe That Zero Trust Is the Future of Cybersecurity?

Cloud technology has become an integral part of business, even for the federal government. From software-as-a-service (SaaS) to platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), more and more government agencies are reaping the benefits of the cloud.

However, migrating to the cloud comes with different risks, and the federal government is right to be concerned about malicious actors exploiting an access loophole in its systems. In 2020, a Russia-sponsored hack breached the Pentagon, intelligence agencies, nuclear labs, and even Fortune 500 companies, resulting in stolen information. The Department of Defense and Department of Homeland Security both had seemingly impenetrable cyber defenses, but a Trojan horse downloaded by users compromised the SolarWinds software being used.

To keep pace with these increasingly sophisticated cyberattacks, the federal government is modernizing its approach to cybersecurity. Assuming that a breach has already occurred or is likely to occur puts the government on the offensive. It allows it to proactively identify and mitigate risks before the next breach happens.

The Federal Government's Zero Trust Implementation Plan

As part of EO 14028, federal government agencies must take decisive steps to modernize their cybersecurity posture. Within 60 days, they had to develop a plan to implement Zero Trust architecture. This required incorporating migration steps laid out by the National Institute of Standards and Technology (NIST), which organizes cybersecurity capabilities into five functions: identify, protect, detect, respond, and recovery.

The ”protect” function is where Zero Trust Architecture comes in. Here, federal agencies must develop and implement safeguards to protect critical infrastructure. This includes identity management, authentication and access control, and data security.

From now on, all federal government agencies and contractors must adopt Zero Trust Architecture as they migrate to cloud technology.

3 Zero Trust Takeaways from Executive Order 14028

The federal government isn’t the only sector that can benefit from Zero Trust Architecture. As cybercriminals become more sophisticated, the Zero Trust executive order can be used as a springboard for organizations to protect their own infrastructure. Taking the first steps toward Zero Trust can help organizations of all sizes protect their sensitive data and minimize the fallout when a breach occurs. Here are three takeaways from EO 14028 for organizations looking at Zero Trust.

1. Implementing Zero Trust can be incremental

Organizations that might feel overwhelmed by Zero Trust don’t need to implement it all at once. Taking an incremental approach helps avoid high costs, confusion, and getting bogged down in administrative work – and lets organizations get started. They can build on those first steps to improve their cybersecurity postures almost immediately.

2. Zero Trust helps reduce security breaches

Because Zero Trust assumes breaches will occur and offers ways to mitigate the impact, it provides real benefits to organizations. Instead of focusing on the perimeter as traditional security architecture has done, Zero Trust plans for the inevitability of an attack. It looks inward at how users access systems and provides them with only what they need to do their jobs. It also requires constant, real-time authentication, limiting the likelihood of a breach.

3. Long-life credentials, passwords, and VPNs cease to exist

As part of Zero Trust, long-life credentials have become a thing of the past. Instead of giving users credentials that they can use long after they leave the company, users get access that is decommissioned once they’re done with the project. Instead of passwords that are vulnerable to phishing attacks, they receive tokens like PIV cards and Yubikeys, or leverage SSO from providers like Okta. And VPNs aren’t necessary because identity is the new perimeter and users are constantly authenticated.

How StrongDM Helps Organizations Adopt Zero Trust

Zero Trust means organizations shift from a reactive approach to cybersecurity to a proactive one. For Better, detecting suspicious behavior in real-time by using StrongDM allowed it to respond faster to incidents and provided peace of mind by logging every query and permission change. Suppose something suspicious does happen, such as a user query after hours or a lot of queries being made. In that case, the user can immediately be suspended before real damage can be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

This is just one way that StrongDM helps organizations adopt a Zero Trust architecture. To learn more about how you can bring your Zero Trust aspirations to life, make sure to watch our Zero Trust Access Edition Webinar.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Unmasking Cozy Bear (APT29): The Urgent Need for Continuous Authorization
Cozy Bear specializes in targeting governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the U.S. and Europe. These state-sponsored groups aim to clandestinely gather strategic and sensitive information for Russia, maintaining prolonged access without raising suspicions.
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
Privileged Access in the Age of Cloud Authentication & Ephemeral Credentials
The way that people work continues to evolve, and as a result, so do the ways that they must authenticate into their organization’s resources and systems. Where once you simply had to be hardwired into the local office network, now you must expand your perimeter to include remote and hybrid workforces, on-prem and cloud environments, and take into account a growing list of factors that impact how and where people access critical company resources.
The Importance of Continuous Zero Trust Authorization
Never Done: The Importance of Continuous Zero Trust Authorization
Adherents to the Zero Trust security model, live according to a policy of “never trust, always verify.” It requires all devices and users to be authenticated, authorized, and regularly validated before being granted access, regardless of whether they are inside or outside an organization's network. But the catch is that authentication and authorization don’t just happen at the first touch.
How to Implement Zero Trust
How to Implement Zero Trust [10-Step Plan]
In this blog, we’ll offer a blueprint for how to implement Zero Trust security effectively to help your organization initiate and manage access management for all your users, devices, and resources.
Implicit Trust vs. Explicit Trust in Access Management
Implicit Trust vs. Explicit Trust in Access Management
Trust is an essential cornerstone in access management. However, not all trust is created equal. When it comes to how you approach access, two types of trust stand out: implicit trust and explicit trust.