Analyzing the US Government’s Adoption of Zero Trust
Two years ago, we published our original Demystifying Zero Trust to discuss the following topics without marketing buzzwords:
- Where did zero trust come from and what does it do?
- What are common confusions surrounding zero trust?
- What benefits can organizations get through zero trust adoption?
The good news is that the fundamental concepts behind zero trust have remained the same. The problem is that security practitioners have become understandably skeptical about everything “zero trust.” Many vendors have abused it as a new buzzword to slap onto their products in an effort to drive sales, further muddying the waters when it comes to explaining what is and isn’t zero trust.
This update post will focus on quite possibly the biggest adopter to date: the U.S. government.
We’ll address two main topics:
- Why did the U.S. government adopt zero trust? What was their reasoning?
- What are main takeaways from the U.S. government’s adoption of zero trust?
Why Did the U.S. Government Adopt Zero Trust?
To begin, the Biden administration’s Executive Order 14028 resulted in various U.S. government agencies releasing reports, strategies, or zero trust adoption roadmaps.
Here’s a short list:
- The Office of Management and Budget releasing a memo titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
- National Security Telecommunications Advisory Committee (NSTAC) released Report to the President on Zero Trust and Trusted Identity Management
- The Cybersecurity & Infrastructure Security Agency (CISA) releases the Zero Trust Maturity Model, building upon ZP 800-207 on Zero Trust Architecture released by the National Institute of Standards and Technology (NIST)
- CISA and NIST also released a government website for zero trust resources
- The Department of Defense (DoD) released their Zero Trust Reference Architecture followed by their Zero Trust Strategy and Roadmap
The core question: Why?
Why the sudden scramble to adopt ZT? The U.S. government taking national security seriously isn’t surprising — but one line of thought runs parallel throughout all these various papers and reports: a strong emphasis to pivot away from their existing traditional perimeter defense.
This goes back to several fundamental theories of ZT:
- You should assume bad actors are already in your network infrastructure. This assumption doesn’t only apply to government networks. IBM’s Cost of a Data Breach 2022 report discusses how the shortest mean time for an organization to identify a breach is 149 days, or almost two fiscal quarters. Accordingly, if your network is breached today your organization most likely won’t find out within a quarter.
- You should no longer grant access based on the requestor’s network or position, but continuously verify the requester’s identity and authorization. If you assume the existence of bad actors, continuing the status quo of granting access based on network presence is meaningless.
Putting these two ideas into practice results in the DoD’s conclusion:
Organizations must act now.
Indeed, the government has come to accept that the perimeter defense no longer works. Today’s modern threat landscape takes advantage of the ever-changing and constantly updating digital infrastructure. Furthermore, the changing times have seen remote work, supply-chain attacks, ransomware, malicious insiders, and abstract multi-cloud or hybrid infrastructure become impossible to secure with a perimeter alone.
The core theory of ZT — nothing should be implicitly trusted — remains unchanged. Consequently, your system will fail if it is set up to grant access as long as the requestor is located in your network. This is why the government and various organizations are moving away from the traditional network perimeter defense.
What Are Main Takeaways From the US Government’s Adoption of Zero Trust?
Immediate reevaluation of perimeter-defense strategy and how your infrastructure grants access
One sentiment repeatedly echoed within each publication by various U.S. agencies: the traditional perimeter-defense strategy no longer works. The reasons given weren’t limited to government network infrastructure alone. Major changes such as the rise of remote work, the steady digitization of the modern workplace, and increasing reliance on third-party infrastructure mean all modern organizations are vulnerable to the Perimeter Problem.
Furthermore, once the organization accepts that the perimeter-defense does not work, the question from there on is: what’s the replacement? The U.S. government certainly believes it to be Zero Trust Architecture and has made a concerted, top-down effort to enable its various agencies to adopt it via the publications above. The architecture, technical underpinnings, and execution of processes which enable this replacement for perimeter-defense are the core issues — and blockers — that face ZT adoption today.
Ultimately, if your organization is still using the traditional perimeter-defense strategy, an immediate risk-mitigation evaluation should be conducted. We recommend CISA’s Zero Trust Maturity Model and the DoD’s Zero Trust Reference Architecture and Zero Trust Strategy and Roadmap to learn how your organization can also adopt ZT.
Zero Trust might become a legal requirement
Summing up, we venture into a prediction: the U.S. government may pressure CISA’s list of 16 Critical Infrastructure Sectors. The alternative is to somehow believe that the U.S. government is content with allowing industry sectors it considers “critical” to be vulnerable without ZT adoption. Your defense is only as strong as your weakest point, right?
We understand that these compliance requirements might not happen “soon” as the agencies wrangle with their own adoption processes. But as soon as the government is done looking inward, they will begin looking out. The sectors are labeled “Critical Infrastructure” for a reason.
As for how organizations can start looking at what those compliance requirements might look like? Well, the government’s already published it via the links above — it may be continuously updated over the years, but it shouldn’t veer too far from what already is.
Keep this top of mind the next time your organization evaluates its security — do you meet the government’s own ZT models? How far are you from it?
If the government gave you a year to adopt their ZT security model, how fast could you roll it out?
Zero Trust Architecture Starts with Access Control
Starting a ZT journey can be overwhelming — and it starts with access control.
Governments and organizations want to keep their existing infrastructure while rolling out ZT adoption for secure identity and context-driven access to their internal services, and they’re doing it with Pomerium proxy. IT management teams can easily deploy Pomerium to provision access and ensure security for all users without sacrificing productivity.