Building a Zero Trust mindset through education and technology
When the Biden administration released its Executive Order on Improving the Nation’s Cybersecurity (EO14028) in 2021, it set off a chain of events that continues to influence federal cybersecurity initiatives today.
A key focus of EO 14028 is to modernize and enhance the federal government’s cybersecurity approach through the adoption and implementation of a Zero Trust Framework. To that end, the Office of Management and Budget issued a follow-up memo known as M-22-09. This memo “sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”
While the September 30th deadline has officially passed, federal agencies are still at varying stages of completion in their journey to meet the OMB’s standards. However, true Zero Trust is about more than checking off pre-defined regulatory requirements. Instead, agencies must work to establish a comprehensive Zero Trust mindset across all levels of the organization.
Zero Trust starts with education and is supported by product
To achieve a state of true Zero Trust, agencies must first understand that it’s not a one-size-fits-all solution. Instead, think of Zero Trust as a mindset that works together with technology, policy, and discipline to dynamically protect digital environments against emergent threats. While the principles of Zero Trust remain the same, the way in which those principles are implemented must be customized to fit the agency’s unique risks and mission needs.
At MDC, we work closely with clients to evaluate and implement Zero Trust solutions in their environments. We start by assessing the different pillars that feed into Zero Trust, such as identity, devices, networks, applications and workloads, and data. Then, once we’ve identified the risk areas and established a strategic Zero Trust vision, we build the technology architecture to match—testing multiple market solutions to ensure they deliver on the customer’s core security goals without impeding business productivity.
And while technology is certainly a key part of advancing Zero Trust implementation, the overarching strategic vision and internal user education are what really move the needle. Internal users at all levels must understand how their actions and choices can impact the agency’s security posture.
Take the growing trend of AI-enabled phishing scams, for example. These attacks are designed to prey on vulnerable users who don’t know how to recognize or respond to phishing attempts. AI may be able to create a highly convincing voicemail or email designed to trick victims into sharing their login credentials or clicking a malicious link, but if users have already been educated on the dangers of sharing their password online or opening attachments from unknown sources, then it doesn’t matter how convincing the AI is. The well-educated user is still less likely to become a source of insider risk. In addition to relying on internal users to be good stewards of Zero Trust, agencies can also use tools like multi-factor authentication (MFA) to enforce principles of least privilege access and explicit verification.
In addition, because a Zero Trust mindset requires that agencies assume breach, it’s important to have a well-socialized plan that shows users how to respond in the event of a suspected compromise. The reality of today’s security landscape is that no matter how careful you are, you will eventually be breached. However, the consequences of that breach are heavily influenced by how prepared you are to respond. Agencies must have a rigorous plan in place to detect, isolate, and remediate incoming threats. Otherwise, they run the risk of attackers moving unchecked throughout their environment.
Ultimately, Zero Trust is a modern security mindset that’s designed to adapt to our changing threat landscape with agility at scale. By creating a Zero Trust technology framework and educating internal users on the importance of least privilege access, explicit verification, and assuming breach, agencies can ensure they stay ahead of emerging technological risks and threats.
