Zero Trust Memo From Executive Order 14028 (TL;DR Version)

Cyberattacks have increased significantly over the years. Emboldened by the easy access provided by remote workers connecting to unsecured networks, cyberattacks on corporate networks increased by 50 percent in 2021 compared to 2020. Those attacks were up by 47 percent in the government and military sectors. Recent research has also found that cybercriminals have become so sophisticated that they can penetrate 93 percent of corporate networks.

It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.

What Is Zero Trust Architecture (According to EO 14028)?

The Federal Government defines Zero Trust Architecture as a security model that acknowledges threats inside and outside networks. Instead of trusting any element, node, or service, Zero Trust requires everything to constantly be verified and authenticated. Essentially, Zero Trust lets users have full access, but only as much as needed, to do their jobs. This helps contain risk should a breach occur.

Additionally, Zero Trust assumes that a breach has happened or will happen. Hence, it embeds continuous security monitoring to look for suspicious activity. This is done through granular, risk-based access controls and security automation. Least-privileged access is applied for every access decision, keeping environments as locked down as possible.

Why Does the Federal Government Believe That Zero Trust Is the Future of Cybersecurity?

Cloud technology has become an integral part of business, even for the federal government. From software-as-a-service (SaaS) to platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS), more and more government agencies are reaping the benefits of the cloud.

However, migrating to the cloud comes with different risks, and the federal government is right to be concerned about malicious actors exploiting an access loophole in its systems. In 2020, a Russia-sponsored hack breached the Pentagon, intelligence agencies, nuclear labs, and even Fortune 500 companies, resulting in stolen information. The Department of Defense and Department of Homeland Security both had seemingly impenetrable cyber defenses, but a Trojan horse downloaded by users compromised the SolarWinds software being used.

To keep pace with these increasingly sophisticated cyberattacks, the federal government is modernizing its approach to cybersecurity. Assuming that a breach has already occurred or is likely to occur puts the government on the offensive. It allows it to proactively identify and mitigate risks before the next breach happens.

The Federal Government's Zero Trust Implementation Plan

As part of EO 14028, federal government agencies must take decisive steps to modernize their cybersecurity posture. Within 60 days, they had to develop a plan to implement Zero Trust architecture. This required incorporating migration steps laid out by the National Institute of Standards and Technology (NIST), which organizes cybersecurity capabilities into five functions: identify, protect, detect, respond, and recovery.

The ”protect” function is where Zero Trust Architecture comes in. Here, federal agencies must develop and implement safeguards to protect critical infrastructure. This includes identity management, authentication and access control, and data security.

From now on, all federal government agencies and contractors must adopt Zero Trust Architecture as they migrate to cloud technology.

3 Zero Trust Takeaways from Executive Order 14028

The federal government isn’t the only sector that can benefit from Zero Trust Architecture. As cybercriminals become more sophisticated, the Zero Trust executive order can be used as a springboard for organizations to protect their own infrastructure. Taking the first steps toward Zero Trust can help organizations of all sizes protect their sensitive data and minimize the fallout when a breach occurs. Here are three takeaways from EO 14028 for organizations looking at Zero Trust.

1. Implementing Zero Trust can be incremental

Organizations that might feel overwhelmed by Zero Trust don’t need to implement it all at once. Taking an incremental approach helps avoid high costs, confusion, and getting bogged down in administrative work – and lets organizations get started. They can build on those first steps to improve their cybersecurity postures almost immediately.

2. Zero Trust helps reduce security breaches

Because Zero Trust assumes breaches will occur and offers ways to mitigate the impact, it provides real benefits to organizations. Instead of focusing on the perimeter as traditional security architecture has done, Zero Trust plans for the inevitability of an attack. It looks inward at how users access systems and provides them with only what they need to do their jobs. It also requires constant, real-time authentication, limiting the likelihood of a breach.

3. Long-life credentials, passwords, and VPNs cease to exist

As part of Zero Trust, long-life credentials have become a thing of the past. Instead of giving users credentials that they can use long after they leave the company, users get access that is decommissioned once they’re done with the project. Instead of passwords that are vulnerable to phishing attacks, they receive tokens like PIV cards and Yubikeys, or leverage SSO from providers like Okta. And VPNs aren’t necessary because identity is the new perimeter and users are constantly authenticated.

How StrongDM Helps Organizations Adopt Zero Trust

Zero Trust means organizations shift from a reactive approach to cybersecurity to a proactive one. For Better, detecting suspicious behavior in real-time by using StrongDM allowed it to respond faster to incidents and provided peace of mind by logging every query and permission change. Suppose something suspicious does happen, such as a user query after hours or a lot of queries being made. In that case, the user can immediately be suspended before real damage can be done.

🕵 Learn how Better.com uses StrongDM to adopt Zero Trust access.

This is just one way that StrongDM helps organizations adopt a Zero Trust architecture. To learn more about how you can bring your Zero Trust aspirations to life, make sure to watch our Zero Trust Access Edition Webinar.