<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Close icon
Search bar icon

Zero Trust Memo From Executive Order 14028 (TL;DR Version)

Cyberattacks have increased significantly over the years. Emboldened by the easy access provided by remote workers connecting to unsecured networks, cyberattacks on corporate networks increased by 50 percent in 2021 compared to 2020. Those attacks were up by 47 percent in the government and military sectors. Recent research has also found that cybercriminals have become so sophisticated that they can penetrate 93 percent of corporate networks.

It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.

What Is Zero Trust Architecture (According to EO 14028)?

The Federal Government defines Zero Trust Architecture as a security model that acknowledges threats inside and outside networks. Instead of trusting any element, node, or service, Zero Trust requires everything to constantly be verified and authenticated. Essentially, Zero Trust lets users have full access, but only as much as needed, to do their jobs. This helps contain risk should a breach occur.

Additionally, Zero Trust assumes that a breach has happened or will happen. Hence, it embeds continuous security monitoring to look for suspicious activity. This is done through granular, risk-based access controls and security automation. Least-privileged access is applied for every access decision, keeping environments as locked down as possible.

Why Does the Federal Government Believe That Zero Trust Is the Future of Cybersecurity?

Cloud technology has become an integral part of business, even for the federal government. From software-as-a-service (SaaS) to platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), more and more government agencies are reaping the benefits of the cloud.

However, migrating to the cloud comes with different risks, and the federal government is right to be concerned about malicious actors exploiting an access loophole in its systems. In 2020, a Russia-sponsored hack breached the Pentagon, intelligence agencies, nuclear labs, and even Fortune 500 companies, resulting in stolen information. The Department of Defense and Department of Homeland Security both had seemingly impenetrable cyber defenses, but a Trojan horse downloaded by users compromised the SolarWinds software being used.

To keep pace with these increasingly sophisticated cyberattacks, the federal government is modernizing its approach to cybersecurity. Assuming that a breach has already occurred or is likely to occur puts the government on the offensive. It allows it to proactively identify and mitigate risks before the next breach happens.

The Federal Government's Zero Trust Implementation Plan

As part of EO 14028, federal government agencies must take decisive steps to modernize their cybersecurity posture. Within 60 days, they had to develop a plan to implement Zero Trust architecture. This required incorporating migration steps laid out by the National Institute of Standards and Technology (NIST), which organizes cybersecurity capabilities into five functions: identify, protect, detect, respond, and recovery.

The ”protect” function is where Zero Trust Architecture comes in. Here, federal agencies must develop and implement safeguards to protect critical infrastructure. This includes identity management, authentication and access control, and data security.

From now on, all federal government agencies and contractors must adopt Zero Trust Architecture as they migrate to cloud technology.

3 Zero Trust Takeaways from Executive Order 14028

The federal government isn’t the only sector that can benefit from Zero Trust Architecture. As cybercriminals become more sophisticated, the Zero Trust executive order can be used as a springboard for organizations to protect their own infrastructure. Taking the first steps toward Zero Trust can help organizations of all sizes protect their sensitive data and minimize the fallout when a breach occurs. Here are three takeaways from EO 14028 for organizations looking at Zero Trust.

1. Implementing Zero Trust can be incremental

Organizations that might feel overwhelmed by Zero Trust don’t need to implement it all at once. Taking an incremental approach helps avoid high costs, confusion, and getting bogged down in administrative work – and lets organizations get started. They can build on those first steps to improve their cybersecurity postures almost immediately.

2. Zero Trust helps reduce security breaches

Because Zero Trust assumes breaches will occur and offers ways to mitigate the impact, it provides real benefits to organizations. Instead of focusing on the perimeter as traditional security architecture has done, Zero Trust plans for the inevitability of an attack. It looks inward at how users access systems and provides them with only what they need to do their jobs. It also requires constant, real-time authentication, limiting the likelihood of a breach.

3. Long-life credentials, passwords, and VPNs cease to exist

As part of Zero Trust, long-life credentials have become a thing of the past. Instead of giving users credentials that they can use long after they leave the company, users get access that is decommissioned once they’re done with the project. Instead of passwords that are vulnerable to phishing attacks, they receive tokens like PIV cards and Yubikeys, or leverage SSO from providers like Okta. And VPNs aren’t necessary because identity is the new perimeter and users are constantly authenticated.

How StrongDM Helps Organizations Adopt Zero Trust

Zero Trust means organizations shift from a reactive approach to cybersecurity to a proactive one. For Better, detecting suspicious behavior in real-time by using StrongDM allowed it to respond faster to incidents and provided peace of mind by logging every query and permission change. Suppose something suspicious does happen, such as a user query after hours or a lot of queries being made. In that case, the user can immediately be suspended before real damage can be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

This is just one way that StrongDM helps organizations adopt a Zero Trust architecture. To learn more about how you can bring your Zero Trust aspirations to life, make sure to watch our Zero Trust Access Edition Webinar.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Zero Trust vs. VPN: Key Differences Explained (Side-by-Side)
Zero Trust vs. VPN: Key Differences Explained (Side-by-Side)
Understanding the core differences between a Zero Trust architecture and a Virtual Private Network (VPN) is an important step in shaping your organization’s cybersecurity strategy. Zero Trust and VPNs offer distinct approaches to security; knowing their functionalities and security philosophies helps you understand when to select one or the other to protect your data effectively—a strategic necessity for robust cybersecurity.
NSA Zero Trust Maturity Guidance Explained (TL;DR Version)
NSA Zero Trust Maturity Guidance Explained (TL;DR Version)
StrongDM is pleased to see that, in April 2024, the National Security Agency of the United States, has released a Cybersecurity Information (CSI) sheet that recommends why and how organizations, public and private, should adopt the Zero Trust (ZT) security model for their data tier of infrastructure. At the core of the recommendations, an organization needs to know what data it possesses, how that data is being accessed, and how to control access to that data.
PAM Was Dead. StrongDM Just Brought it Back to Life.
PAM Was Dead. StrongDM Just Brought it Back to Life.
In essence, legacy PAM solutions over-index on access. StrongDM uses the principles of Zero Trust to evaluate and govern every action, no matter how minor - where each command, query, or configuration change is evaluated in real-time against dynamic policies that adapt to the context of the user, the sensitivity of the action, and the prevailing threat landscape.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
XZ Utils Backdoor Explained: How to Mitigate Risks
XZ Utils Backdoor Explained: How to Mitigate Risks
Last week, Red Hat issued a warning regarding a potential presence of a malicious backdoor in the widely utilized data compression software library XZ, which may affect instances of Fedora Linux 40 and the Fedora Rawhide developer distribution. CISA, or Cybersecurity & Infrastructure Security Agency, confirmed and issued an alert for the same CVE.