The cybersecurity executive order (EO) signed by President Joe Biden is requiring Federal agencies to make plans for implementing zero trust architectures to strengthen cybersecurity postures and the directive is being largely seen as a positive by agency experts.
During the Zenith Live ’21 Full Cloud Ahead event June 15, agency officials spoke about working towards effective security and the benefits of moving toward zero trust. Moderating this particular panel was VP of Government and Head of Corporate Compliance at Zscaler Stephen Kovac, who highlighted four major bullet points of the cyber EO.
“60 days to develop plans to implement zero trust, increase their use of cloud service, and begin modernizing FedRAMP; 90 days to develop a Federal cloud security strategy and a cloud security technical reference architecture; 180 days to adopt [multi-factor identification] and encryption for data at rest and in transit; and last, [the Department of Homeland Security] must adapt [continuous diagnostics and mitigation], EINSTEIN, and other cyber programs to account for zero trust architecture,” Kovac outlined.
CIO for the Department of Health and Human Services Office of Inspector General Gerald Caron pointed out that zero trust helps agencies get from being compliance-focused to more a more effective security approach and the Cyber EO helps with that journey.
“Thank God for the EO, I say. I think it moves us more towards being effective overall – for our agencies to be effective at cyber – not just checking boxes,” said Caron.
Steven Hernandez, CISO at the Department of Education said he was “bullish” on the future of zero trust and how it can be used to effectively defend data.
“It’s not just the discussion around technologies and infrastructure and services and cloud and all the cool things that come together to make it happen,” said Hernandez. “It’s also a very robust discussion around data. Because data is at the heart of everything that we’re driving, whether it’s behavioral data about what’s going on around us, and how we can respond in a resilient fashion, but also data in terms of understanding where our crown jewels are, and then using zero trust to layer on, or in some cases, actively defend that data at its very core.”
The officials also agreed that the technology for zero trust is already there, but that it’s the people and processes that is always the hard part. Getting executive buy-in and using best practices will be critical towards adopting zero trust.