<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Struggling to implement least privilege in your organization? Join StrongDM featuring Forrester for this upcoming webinar. Register now!

Zero Trust Memo From Executive Order 14028 (TL;DR Version)

Cyberattacks have increased significantly over the years. Emboldened by the easy access provided by remote workers connecting to unsecured networks, cyberattacks on corporate networks increased by 50 percent in 2021 compared to 2020. Those attacks were up by 47 percent in the government and military sectors. Recent research has also found that cybercriminals have become so sophisticated that they can penetrate 93 percent of corporate networks.

It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.

What Is Zero Trust Architecture (According to EO 14028)?

The Federal Government defines Zero Trust Architecture as a security model that acknowledges threats inside and outside networks. Instead of trusting any element, node, or service, Zero Trust requires everything to constantly be verified and authenticated. Essentially, Zero Trust lets users have full access, but only as much as needed, to do their jobs. This helps contain risk should a breach occur.

Additionally, Zero Trust assumes that a breach has happened or will happen. Hence, it embeds continuous security monitoring to look for suspicious activity. This is done through granular, risk-based access controls and security automation. Least-privileged access is applied for every access decision, keeping environments as locked down as possible.

Why Does the Federal Government Believe That Zero Trust Is the Future of Cybersecurity?

Cloud technology has become an integral part of business, even for the federal government. From software-as-a-service (SaaS) to platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), more and more government agencies are reaping the benefits of the cloud.

However, migrating to the cloud comes with different risks, and the federal government is right to be concerned about malicious actors exploiting an access loophole in its systems. In 2020, a Russia-sponsored hack breached the Pentagon, intelligence agencies, nuclear labs, and even Fortune 500 companies, resulting in stolen information. The Department of Defense and Department of Homeland Security both had seemingly impenetrable cyber defenses, but a Trojan horse downloaded by users compromised the SolarWinds software being used.

To keep pace with these increasingly sophisticated cyberattacks, the federal government is modernizing its approach to cybersecurity. Assuming that a breach has already occurred or is likely to occur puts the government on the offensive. It allows it to proactively identify and mitigate risks before the next breach happens.

The Federal Government's Zero Trust Implementation Plan

As part of EO 14028, federal government agencies must take decisive steps to modernize their cybersecurity posture. Within 60 days, they had to develop a plan to implement Zero Trust architecture. This required incorporating migration steps laid out by the National Institute of Standards and Technology (NIST), which organizes cybersecurity capabilities into five functions: identify, protect, detect, respond, and recovery.

The ”protect” function is where Zero Trust Architecture comes in. Here, federal agencies must develop and implement safeguards to protect critical infrastructure. This includes identity management, authentication and access control, and data security.

From now on, all federal government agencies and contractors must adopt Zero Trust Architecture as they migrate to cloud technology.

3 Zero Trust Takeaways from Executive Order 14028

The federal government isn’t the only sector that can benefit from Zero Trust Architecture. As cybercriminals become more sophisticated, the Zero Trust executive order can be used as a springboard for organizations to protect their own infrastructure. Taking the first steps toward Zero Trust can help organizations of all sizes protect their sensitive data and minimize the fallout when a breach occurs. Here are three takeaways from EO 14028 for organizations looking at Zero Trust.

1. Implementing Zero Trust can be incremental

Organizations that might feel overwhelmed by Zero Trust don’t need to implement it all at once. Taking an incremental approach helps avoid high costs, confusion, and getting bogged down in administrative work – and lets organizations get started. They can build on those first steps to improve their cybersecurity postures almost immediately.

2. Zero Trust helps reduce security breaches

Because Zero Trust assumes breaches will occur and offers ways to mitigate the impact, it provides real benefits to organizations. Instead of focusing on the perimeter as traditional security architecture has done, Zero Trust plans for the inevitability of an attack. It looks inward at how users access systems and provides them with only what they need to do their jobs. It also requires constant, real-time authentication, limiting the likelihood of a breach.

3. Long-life credentials, passwords, and VPNs cease to exist

As part of Zero Trust, long-life credentials have become a thing of the past. Instead of giving users credentials that they can use long after they leave the company, users get access that is decommissioned once they’re done with the project. Instead of passwords that are vulnerable to phishing attacks, they receive tokens like PIV cards and Yubikeys, or leverage SSO from providers like Okta. And VPNs aren’t necessary because identity is the new perimeter and users are constantly authenticated.

How StrongDM Helps Organizations Adopt Zero Trust

Zero Trust means organizations shift from a reactive approach to cybersecurity to a proactive one. For Better, detecting suspicious behavior in real-time by using StrongDM allowed it to respond faster to incidents and provided peace of mind by logging every query and permission change. Suppose something suspicious does happen, such as a user query after hours or a lot of queries being made. In that case, the user can immediately be suspended before real damage can be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

This is just one way that StrongDM helps organizations adopt a Zero Trust architecture. To learn more about how you can bring your Zero Trust aspirations to life, make sure to watch our Zero Trust Access Edition Webinar.

About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

CISA Zero Trust Maturity Model
CISA Zero Trust Maturity Model (TL;DR Version)
In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.
DoD Zero Trust Strategy Explained (TL;DR Version)
DoD Zero Trust Strategy Explained (TL;DR Version)
On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.
Zero Trust vs. SASE: Everything You Need to Know
Zero Trust vs. SASE: Everything You Need to Know
Concerned about providing secure access to the data and tools employees need to do their jobs in a cloud or hybrid environment? Don’t worry. Solid strategies exist for protecting distributed resources. Zero Trust and SASE are two architectural approaches that provide strong security in today’s cloud-first world. The information in this article will help you decide which strategy works best for your business. Robust cloud security is attainable.
Have You Nailed Zero Trust (Webinar)
Have You Nailed Zero Trust?
Recipe for Zero Trust is just 7 ingredients. Where does it go wrong? Why is it so hard to nail? This webinar breaks it down in simple steps.
What is an Attack Vector? 15 Common Attack Vectors to Know
What is an Attack Vector? 15 Common Attack Vectors to Know
In this article, we’ll take a deep dive into attack vectors. You’ll learn what they are, the most common types, how they’re used, and why hackers continually use them to exploit vulnerabilities. By the end of this article, you'll have a thorough understanding of the fifteen most common types of attack vectors and what you can do to prevent your organization from falling victim to them.