Zero Trust Requires Continuous, Tested Security for Federal Agencies

By Scott Ormiston, Federal Solutions Architect, Synack

Within a single week in late March, the Biden administration both reissued the call for American companies to shore up their cybersecurity efforts in the wake of the Russia-Ukraine war, and requested nearly $11 billion in cybersecurity funding from Congress for the Federal government and its agencies for fiscal 2023 – a billion dollars more than the year prior.

Record numbers of Common Vulnerabilities and Exposures (CVE) and zero day exploits also contribute to the urgency felt across the cybersecurity industry, which is being squeezed by a lack of talent and a hot labor market. Meanwhile, the federal government and its agencies are in the middle of an effort to modernize their technology – a herculean task that has the potential to widen attack surfaces and further burden cybersecurity professionals.

Adopting an adversarial, offensive cybersecurity strategy that aligns with the Federal government’s mandate to move to zero trust architecture can release some of that pressure by working proactively to harden your agency’s existing security program.

Zero trust architecture, as outlined in the Federal zero trust strategy memorandum M-22-09, is aligned with the Cybersecurity and Infrastructure Security Agency’s (CISA) five pillars of its Zero Trust Maturity Model. Those five pillars include: Identity, Devices, Networks, Application Workload and Data. Each pillar requires different kinds of tools and services to adhere to zero trust principles, which all coalesce around preventing unauthorized access by making access granular and as-needed.

Taking a closer look at the Application Workload pillar, optimal functionality should be designed for continuous testing. When an application is in development, security testing for Federal agencies should happen routinely throughout and continue once deployed. Once applications are deployed, CISA recommends continuous, external monitoring.

The common themes for all five of the pillars include continuity and externality. Why? Because that is the manner in which adversaries are scanning attack surfaces for potential threat vectors; they are continually learning from organizations’ security measures and augmenting their own approaches. The adversary is on-the-clock 24/7, looking for a way in, so security teams must rebuild their efforts to match.

To make the move toward zero trust, security teams need to establish if their existing security systems and processes are working as designed. Conducting outside-in testing and gaining an adversarial perspective on current security implements will demonstrate where to prioritize remediation efforts.

Synack provides dedicated application security testing that enables federal agencies to adhere to mandates, advancing their moves to zero trust principles. Agencies that select Synack will also benefit from its FedRAMP Moderate In Process designation, indicating that 325 security controls were met to enhance security for users working in Synack’s FedRAMP environment.

As former National Security Agency and Defense Department technical security experts, Synack’s founders know intimately the importance of securing federal operations and technologies in cyberspace.

CEO Jay Kaplan and CTO Dr. Mark Kuhr saw firsthand how difficult it was to unite thousands of government employees and acquire the necessary security expertise to proactively, and effectively, protect against today’s cyber attacks and threat actors. That view led them to create Synack, the premier on-demand security testing platform backed by a vetted community of ethical researchers for continuous penetration testing and vulnerability management.

“Helping defend the U.S. against cyberattacks is in our DNA. It’s why my co-founder Jay and I started Synack in the first place and it’s what our network of trusted ethical hackers do every day on the platform,” said Dr. Kuhr. “Synack’s FedRAMP designation is a powerful accelerant for even more Federal customers to benefit from continuous, crowdsourced security testing, which is an essential best practice especially in light of recent vulnerabilities like Log4j. The Synack offering can aid organizations by rapidly responding to the most urgent CVEs.”

Synack has worked with more than 30 government organizations on application security testing capabilities with capacity to deliver better results at scale than traditional methods, and is committed to helping agencies protect citizens and their data. Addressing the Biden administration’s call to make now the time to progress with security efforts, Synack can provide organizations with on-demand access to the most trusted worldwide network of security researchers.