Complying With the Executive Order on Cybersecurity

It’s official: our country’s agencies need to improve their cybersecurity. Don’t just take it from us—that directive comes straight from the White House.

Guidelines issued via executive order (EO) on May 12, 2021 state that the government will officially embrace a policy of making comprehensive improvements to the nation’s cybersecurity to protect the government’s most sensitive infrastructure. That policy extends beyond public agencies to any contractors, non-profits, or other private companies that provide services for the federal government.

As the EO explains, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

One of the main components of the EO is moving all government systems to a secure cloud service while adopting a Zero Trust Architecture model. According to the President’s order, this approach is the only way to reliably ensure that security is built into digital services from the ground up, establishing an airtight perimeter.

Many agencies were already moving to a Zero Trust environment, but they regularly face challenges in actually implementing the strategy. The following information can help agencies, contractors, and other organizations understand what they need to do to comply with the EO and what practices make establishing Zero Trust policies easier.

What Are the Main Directives of the May 2021 Executive Order on Cybersecurity?

The main points of the EO (read it here) include:

• Section 1: The federal government aims to make bold changes and significant investments in cybersecurity, instead of small incremental changes or band-aids.
• Section 2: Remove barriers to sharing threat information among agencies and contractors, providing more effective defense measures against emerging threats.
• Section 3: Modernize the government’s approach to cybersecurity while protecting privacy and civil liberties. This includes advancing toward Zero Trust Architecture and multifactor authentication.
• Section 4: Enhance the security of software used by the government.
• Section 5: Establish a cyber safety review board.
• Section 6: Standardize the government’s response to cybersecurity vulnerabilities and incidents.
• Section 7: Improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
• Section 8: Improve the federal government’s investigative and remediation capabilities.

Many of these best practices were covered in more detail in a subsequent memorandum published by the Office of Management & Budget (OMB), the office that coordinates compliance among various public entities and public/private partnerships.

The memo (M-21-30 Protecting Critical Software Through Enhanced Security Measures) specifically pertained to any piece of software that invokes “privileged access to networking or computing resources”, or that otherwise “performs a function critical to trust.” Within these guidelines, the OMB memo invokes identity, credential, and access management (ICAM) as a central component to protecting the integrity of sensitive infrastructure while any software is being used.

In other words: Zero Trust is going to be the gold standard to work toward moving forward, and identity and access management (IAM) is going to be the tip of the spear when it comes to implementation.

Challenges Agencies Face When Increasing Cybersecurity Through Zero Trust

One major challenge organizations face: Zero Trust is not a single technology or product. You can’t go out and buy Zero Trust. It’s more of a strategy or approach for improving cybersecurity through a combination of components, including identity and access management. Reaching Zero Trust requires careful thought regarding information architectures as well as how ICAM is handled through every process or service request.

What, exactly, does Zero Trust look like? A Zero Trust Architecture (ZTA) is a network security model or framework that’s based on strict identity verification across all access points. Every user and device accessing resources needs to be authenticated, no matter who they are or where they’re logging in.

The criteria used to allow access should be based on multiple factors, including not just the user’s credentials but their own contextual behaviors. For example, a user with the correct name and password should perhaps be required to perform a step-up authentication if they access a system using an unfamiliar device from a location halfway across the world from where they usually work.

This is different from past IT mindsets, where implicit trust is placed in users based on their typical access to the network. For example, once a user had logged into the general system where they worked, they might well have been permitted access to further systems or functions based on the credentials they logged in with. In Zero Trust, those credentials are verified and tested (authenticated) each and every time.

There’s a good reason for the change: many attacks come from within networks. Further, many users are vulnerable while accessing internal networks from remote sites or while using various devices. With an increasing volume of remote work, users can be acting in good faith yet still unintentionally compromise the systems they access. A recent report from the U.S. Justice Department identified that hundreds of devices and individual accounts across the global energy sector were targeted by hackers from 2012 to 2018. Zero Trust means ensuring that any individuals accessing a system are not only who they say they are, but also that the access points they use don’t carry blanket permissions without diligent IAM checks every step of the way. Otherwise, granting them permissions could also be granting permissions to malware and other hacking or spying tools at the same time.

The directive presents another challenge: complex governance and management require all permissions and access privilege levels to be thoroughly understood. Every part of the network that requires identity to function must be documented, and the new ZTA must acknowledge these complexities and be capable of managing them across various software and systems.

Part of the shift towards ZTA means organizations need to get the right people in the room who can approve the overarching revisions across these various points, including the CIO, the CFO, and other high-level players. Only with their buy-in can the organization comprehend every facet of ICAM, which then enables it to tighten the security perimeter so that it closes all gaps.

Other Challenges to Modernizing Cybersecurity 

Federal agencies and their partners face many other challenges on top of those mentioned above. One of the most common is that they will have multiple applications active over a hybrid infrastructure—e.g. activities that go through private hosted networks, multiple on-prem sites, and shared cloud functions (AWS, etc.). Data may also be siloed across multiple legacy apps and repositories, accumulated over years of operation.

Employees and contractors will also need to be able to access apps from multiple locations. Gone are the days of everyone sitting in one building operating on a secure network behind the firewall!

The further these activities spread and the more systems they touch, the more identity sprawl grows. Identity sprawl and technical debt create a larger attack surface and leave systems vulnerable.

Time-to-implement and scalability present further challenges. Many solutions can take months or years to implement, and might not work across the entire infrastructure. However, there are alternatives that can be implemented relatively quickly to provide comprehensive security through all points of ICAM. These include Radiant Logic’s Identity Data Fabric, which unifies all sources of identity data to lay the foundation for successful ZTA implementations.

Solution: Identity Management with Zero Trust Architecture

The above challenges collectively compel agencies to modernize cybersecurity with optimized identity data management and implement ZTA.

With ZTA, the approach shifts from network or systems-based security to identity-based security. Retooling your infrastructure to support that shift can be done with an identity data platform that unifies many sources to create a total understanding of every user, all from one source. Moving to the cloud is speeding up the process, as are modernized technologies that help with momentum, speed, and agility.

The ability to register and find the needed identity data on subjects, assets, and resources is the key to enhanced identity governance and a Zero Trust Architecture.

A Zero Trust approach relies on a strong identity foundation,” says Wade Ellery, VP of Solution Architects, and Radiant Logic’s technical lead on the NCCoE project. “We believe that offering a single pane of glass for context-driven identity data will accelerate interoperability and eliminate identity integration challenges, making identity an enabler of a secure enterprise architecture instead of a risk vector.

Organizations need to be able to safely connect subjects and resources when needed, no matter where they are. Yet with data spread across your organization, there’s often no unified source or list of users. To remedy this, organizations need a way to authenticate users throughout the infrastructure and pull data from many endpoints and domains. They should be able to do so, with minimal latency, to ensure user access is appropriate without generating friction every step of the way.

Zero Trust and Identity Unification Go Hand-in-Hand

Implementing Zero Trust—and fulfilling the mandates of the EO—may seem like a daunting task. For Zero Trust to be effective, identity data must be highly available, scalable, normalized, richly correlated, and updated in real-time.

The RadiantOne Intelligent Identity Data Platform is designed to fit all of these criteria. With our RadiantOne platform, you can unify your identity stores and implement a single source of ICAM quickly. These advantages will speed and enrich an organization’s ZTA deployment.

The RadiantOne Intelligent Identity Data Platform is the industry’s first and only Identity Data Fabric. The platform doesn’t create another silo. Instead, it unifies all identity data from across an organization and the various technologies it uses. This distributed identity data can be brought together, creating a comprehensive list of all ICAM data and a single point to manage ICAM activities.

These advantages mean that organizations can create a flexible and reusable resource for ICAM while delivering the needed identity-adjacent services on-demand. Your identity data will be secure and available in exactly the set of users, attributes, format, structure, schema, and protocol each application developer needs.

The RadiantOne Intelligent Identity Data Platform can be implemented at any time, with minimal startup. Unlike many other projects, such as AD migration or duplication, Implementation can take only a matter of weeks, not months (or years). The rapid onboarding won’t disrupt existing processes or services. It’s vendor, protocol, and tool-agnostic, so you won’t have to “rip and replace” other apps. Instead, it sits cleanly on top of all IAM-facing systems, bringing them together for one consolidated point of control.

Once the identity data has been unified, the collective repository can be used many times. Identity information also doesn’t need to be duplicated multiple times across several systems. The flexibility offers the perfect launching pad not just for Zero Trust but also for other initiatives, like Single Sign-On (SSO).

Setting Public Agencies and Their Partners up for ZTA Success

Implementing Zero Trust is complex in all contexts, but it is now the preferred default state for software used by public agencies. The faster your digital transformation towards this end, the more secure your environment.

Want to know more about how the public sector can adopt a Zero Trust Architecture model for your government-facing projects? Watch our on-demand video: Experts: You’re Closer to Zero Trust than You Think, or contact us today for a demo.