Cyber EO One Year Later: Implementing Holistic Zero Trust Security

In May 2021, President Biden issued the sweeping Executive Order on Improving the Nation’s Cybersecurity (cyber EO), which included 11 sections of information, guidance, and mandates designed to push Federal agencies to improve their cybersecurity posture and modernize their infrastructure to protect the American people and our nation’s sensitive information and assets. Many of the mandates involve implementing a zero trust architecture.

MeriTalk recently sat down with Fortinet’s Jim Richberg, public sector CISO, Peter Newton, senior director, product marketing, and Fortinet Federal’s Felipe Fernandez, senior director, system engineering, to gain their insights into how Federal technology teams can integrate all of the components of a zero trust architecture to achieve holistic cybersecurity in a cloud, hybrid, or closed environment.

CDM — Fulfill that mission while accelerating innovation. Learn more.

MeriTalk: We are nearing the one-year anniversary of President Biden’s cyber EO. What has been the biggest impact or change to Federal cybersecurity practices that you’ve seen over the past year as agencies work toward meeting the mandates in the EO?

Richberg: Based on my 35 years of working in the public sector, what is significant about the cyber EO is that it really got the agencies and the vendor community focused and aligned on technology solutions in a way that you don’t typically see in government. While there are dozens of action items in the EO, most of them relate to building a zero trust architecture. The government quickly put out a strategy, technical reference architectures, a maturity model, and shared capabilities information to guide agencies on the path to implementing zero trust principles. Those things also guided the vendor community to develop the technology solutions that would help agencies achieve the EO mandates.

Fernandez: The EO also addresses some of the questions raised by technology teams throughout the years that have worked through the National Institute of Standards and Technology (NIST) and Federal Information Security Management Act (FISMA) compliance. Being compliant didn’t necessarily equate to being secure. With the EO and its zero trust architecture, compliance now is security. Because of that, the vendor community and the user community – regardless of agency – are aligned with the solutions that need to be developed and deployed to be both compliant and secure.

MeriTalk: The cyber EO is moving Federal agencies to adopt a zero trust architecture quickly; some say too quickly. What should agencies prioritize as they implement zero trust security across their agencies?

Richberg: The Zero Trust Maturity Model released by the Cybersecurity and Infrastructure Security Agency (CISA) really demonstrates that the Federal government understands that each agency is on its own path. It even recognizes that all agencies don’t need to get to the same level of maturity – maturity is based on their missions. The maturity model does a really good job at allowing agencies to prioritize the work of building zero trust security for themselves. It guides them, because everyone is moving in the same direction, but recognizes that each agency is starting from a different place and may stop at a different point along the pathway to fully mature, real-time zero trust capability.

Fernandez: Agencies do need to prioritize building a zero trust mindset within their workforce though. There may not be an understanding of what zero trust means – both in the technology organizations and with the end users. It may be hard for users to understand why they can’t do whatever they want whenever they want with their IT assets. By helping them understand the need for proper cybersecurity – even drawing parallels to physical security such as the need for metal detectors when walking into some Federal buildings – they can become allies on the journey to zero trust.

Richberg: Zero trust is misleading language, especially for a workforce of public servants who were hired into positions of trust – and who may even have security clearances. Those of us who work with zero trust principles every day know what it means, but for the end user who may not, zero trust sounds like “I don’t trust you” and has Orwellian implication of workplace surveillance. Employees may consciously or unconsciously push back. But zero trust is actually an enabler for employees, facilitating their ability to work from anyway in the ‘new normal’ operating environment. Zero trust simply means that security should not be determined solely by whether a validated user or device are connecting from within or outside of the network perimeter and that an appropriate level of trust is established prior to every transaction.

MeriTalk: A recent report from the National Security Telecommunications Advisory Committee said the government was in jeopardy of having zero trust become an incomplete experiment – a collection of disjointed technical security projects. What can Federal agencies do to ensure that doesn’t happen?

Newton: This report really highlights the importance of taking a holistic approach during the assessment period. I’ve seen surveys of teams implementing zero trust and the single thing they find most challenging is to get all of the components to work together. To avoid that, agencies need to ensure they are selecting an ecosystem of products that work together. Having a platform-based approach to zero trust implementation will ensure it’s not just a collection of point products that aren’t integrated.

Fernandez: One of the issues that may be tripping up technology teams is that there are so many different zero trust strategies, guidelines, and roadmaps – CISA offers guidance; NIST, Department of Defense (DoD), and the National Security Agency released their zero trust architectures; Office of Management and Budget has a zero trust strategy. It is imperative to decide which framework they want to align with and run with that one. This flexibility, which as we said earlier is not typically seen in government, means that agencies can choose what framework is most appropriate for them instead of being stuck with something that isn’t appropriate for their use case. That flexibility means it won’t be an incomplete experiment as long as the agency stays on its roadmap.

MeriTalk: Agencies implementing a zero trust architecture can choose from many technologies that are designed to meet the guidelines in NIST Special Publication 800-207 on building a zero trust architecture. Are agencies at risk of increasing security complexity as they pursue zero trust?

Fernandez: They aren’t increasing complexity with zero trust; they are just now learning about different complexities with which they may not have experience. For example, a lot of the integrations between components of a zero trust architecture are done through application programming interfaces (APIs), and not every technologist has worked with APIs. The Fortinet Security Fabric helps with this by having out-of-the-box integrations within Fortinet products and third-party vendors. This platform approach ensures components work together correctly and securely, without placing undue pressure and risk on the security administrator.

Newton: The way to combat the complexity is to select an ecosystem and a platform of products that work together from the beginning and not try to get them to work together later down the line.

MeriTalk: Is it possible that zero trust implementation could reduce the number of security technologies that agencies deploy? How does it change the roles of security personnel?

Fernandez: Adopting zero trust absolutely could reduce the number of security technologies and ultimately change the role of security personnel. Here’s why – over the past 15 years, security tools were built to address specific security vulnerabilities, such as databases, user web security, web application firewall, or mail security gateway. Technology teams ran out to get the latest security capability, but then had to get more personnel who were subject matter experts in that one capability.

Now, zero trust architecture enables us to focus on the outcome, not the capability. By restricting access to any resource on the network, the overall security effectiveness of deploying a zero trust architecture is higher than buying a security capability for each and every application, user, device, and server and then also having that subject matter expert manage that capability going forward.

And zero trust will allow us to address the cybersecurity skills gap because personnel roles can be more security outcome focused, not so much product capability focused. If we hire someone to be the subject matter expert of the firewall, we are not getting the most out of their talent. By up-leveling security talents’ focus, we get teams full of people that understand the outcomes – and the appropriate knowledge of the components that lead to those outcomes will follow.

Newton: Implementing zero trust also reduces the amount of time spent on manual processes, as it relies on automation. Through automation, technology teams can redeploy their talent who were doing manual processing into much more productive uses to accomplish mission goals.

Richberg: Security teams may not realize that they are already doing some elements of zero trust. I used to hear it all the time: “Zero trust sounds really hard, and we can’t devote the time or resources to doing it right now.” When you start peeling back the layers though, most agencies already have network segmentation; they have role-based access control giving different levels of permissions to staff, contractors, and visitors. This is a form of static zero trust; the goal of the Executive Order is to enable zero trust to be applied more dynamically and in real-time. With the right vendor partner, agencies can combine what they are already doing with new components to realize this dynamic zero trust security.

MeriTalk: What’s often overlooked in the transition to zero trust?

Richberg: The biggest element overlooked in zero trust is education. Agencies need to help users understand that zero trust doesn’t mean we don’t trust you. Once you show the right credentials, you can get access to what you need. Zero trust is an enabler and a tool. Zero trust should be largely transparent to users, as opposed to the security and technology teams that have to implement it. But users are likely to hear or read something about their agency moving to zero trust architectures, and it’s good to make resources like this available to explain to them what that means.

MeriTalk: Fortinet offers multiple solutions that can help agencies improve their cybersecurity and achieve a zero trust architecture. How are Fortinet solutions different than others on the market?

Newton: A lot of zero trust vendors are very cloud-focused in their approach. Fortinet understands and embraces the nature of hybrid environments. We know that agencies are not currently 100 percent in the cloud, and some never will be. Those agencies need a zero trust architecture that can be deployed everywhere, whether it’s an on-premises resource or cloud-based resource.

Fortinet’s zero trust solutions can operate in that hybrid environment. Through a combination of Fortinet-branded products and our third-party partners that are part of our security fabric, we offer a platform that encompasses everything that’s necessary to achieve zero trust. The broad ecosystem of products that come together in our platform differentiates Fortinet from other solutions on the market.

Fernandez: We aren’t just a viable solution for cloud or internet connected environments. I previously worked at DoD, so one of the things that is really important to me is that the Fortinet zero trust solutions can operate in a closed-area network. Especially in government, not all networks have unfettered access to the world wide web. Fortinet ensures that the products and solutions can still deliver zero trust network access, continuous monitoring, advanced malware analysis, and all of things that go along with complementing a zero trust architecture.

The other key differentiator is that Fortinet solutions were developed with unification in mind. We mean it when we say integrations work out of the box. The Fortinet Security Fabric is a unified platform to visualize and manage security in every environment.

Richberg: The other thing that matters is to make zero trust work at speed and scale. That includes using artificial intelligence and machine learning. That’s what’s going to drive automation. Fortinet has really been a pioneer in this area, having used the technology in our solutions for over 10 years.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.