NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Recalibrating Your Data Security Model to Achieve Zero Trust for Government Agencies

March 7, 2022

  • Blog
  • Archive

The Push to Zero Trust

On May 12, 2021, President Joe Biden passed an executive order (EO) on cybersecurity requiring federal agencies migrate from traditional, perimeter-based defenses to a zero trust architecture. The EO informed an important government response to the recent uprise of sophisticated and high-profile cyberattacks and the emergence of new, malicious threat tactics. The order was followed by OMB’s (Office of Management and Budget) Federal Strategy for moving the U.S. government towards a Zero Trust Architecture, and the more recent release of their 2021-2022 guidance for agencies, both of which have been designed to help organizations strategize to meet the key points necessary for zero trust that have been laid out by the EO.

What is Zero Trust?

In their Special Publication, 800-207, Zero Trust Architecture, NIST characterizes zero trust as an evolving collection of cybersecurity paradigms and concepts that allow security defenses to shift from functioning as static, network-based perimeters to functioning as perimeterless defenses that work to continuously authenticate and verify users, devices, and applications. The central principle to zero trust is to validate and authenticate everything—from component relationships to workflow planning, to access policies—and to make access control enforcement as granular as possible. Enforcing these principles reduce the attack surface and help prevent unauthorized access to data and services.

Two core zero trust mantras are “Assume breach” and “Never trust, always verify”. Put another way, all traffic entering a network, or even already inside a network, should be deemed untrustworthy unless it is verified.

The collection of cybersecurity concepts that together form the foundation of a zero trust architecture include:

  • Enforcing continuous authentication to ensure that all devices, users, and identities who have access to a network are who they say they are.
  • Eliminating persistent trust by ensuring that all privileged access and permissions are being continuously audited, and access is provisioned just-in-time, and revoked immediately upon completion of a task, change in context, or if a certain amount of time has expired.
  • Implimenting least privilege to ensure that users, applications, and systems the minimum access they need. This will help ensure protect against malware execution, lateral movement attacks, and more.
  • Enforcing segmentation and microsegmentation to isolate assets and resources and prevent lateral movement.
  • Ensuring there is always visibility into who is doing what and why so any suspicious behavior can have permissions and access revoked immediately.

Together, these security paradigms control, prevent, or limit the impact threshold of any threat that does present itself to the network.

The Federal Government’s zero trust vision

OMB’s guidance for adhering to the federal government’s zero trust security goal places particular emphasis on how the federal government wants organizations to conduct data transactions and contextualize user activity and network access. It lays out five specific pillars across which organizations should make progress, and has set an achievement goal for the end of September, 2024.

The five pillars, or key progress areas, cited by the OMB include:

The following descriptions have been quoted directly from the OMB’s Zero Trust strategy:

  • Identity: Agency staff use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
  • Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can detect and respond to incidents on those devices.
  • Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin segmenting networks around their applications. The Federal Government identifies a workable path to encrypting email in transit.
  • Applications: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.
  • Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.

Why the urgent need to move to zero trust now?

The push to revamp agency cybersecurity processes came about in response to the evolving threatscape as well as due to the dramatic increase in the occurrence of high-profile cyberattacks, such as the SolarWinds and Colonial Pipeline breaches.

Today’s work-from-anywhere (on-prem, remote, or hybrid) workplace is sprawling beyond its former perimeters, with the number of devices, apps, cloud environments, and access points being driven to near-unmanageable levels. Today’s service edge is much further away from the network—it could include a cell phone that is being used on someone’s personal couch or a laptop that is being used in a hotel room in the Caribbean. Re-focusing security beyond the perimeter has become imperative.

For many organizations, controlling identity is a critical first step to constructing a zero trust architecture that meets the requirements of hybrid, cloud, and often multicloud network infrastructures.

How to achieve a secure zero trust environment

A secure zero trust environment is not a singular product or concept. As the new mandate points out, it requires a shift in how government agencies and commercial enterprises view and execute network security.

Rather than molding current cybersecurity defenses to a changing workplace, organizations need to take a step back and start by contextualizing their network activity. This will allow them to accurately understand how users behave on the network so they can plan the appropriate defenses. To acquire this level of comprehension, however, access needs to be rooted in a master concept of identity—which is why identity marks the first pillar of the federal government’s zero trust vision.

The new OMB requirements establish identity security as the foundation of zero trust. With the dissolution of the traditional network perimeter, identity has become the first and most critical line of defense to protecting data. Identity must stay top-of-mind for all organizations and must encapsulate all users and devices, if it is to be effective.

A ZTA requires organizations to fully understand the master identities of the users who are accessing the network. In today’s world, any one user identity can access data in multiple roles or locations, and a person can (and probably does) work from many different places. The network needs to carry that user’s master identity with them, but it also needs to be able to shed access permissioning for the data the identities no longer need.

Controlling Identity Starts with Privilege Access Management

Privileged Access Management (PAM) is a cornerstone of a zero trust architecture, and a key starting point for gaining a foothold on the identity pillar of OMB’s zero trust strategy. PAM encompasses the strategies and technologies that are used to control privileged access and permissions for users, accounts, processes, and systems across an IT environment. Privileged password management, endpoint privilege management, and secure remote access are three core solutions integrated within PAM platforms to enforce least privilege, manage and protect privileged identities, and to monitor and audit privileged access.

Least privilege and just in time (JIT) access are both called out specifically by NIST on its list of executive order-critical software. These PAM capabilities are noted for their ability to assist agencies with identifying software for the initial phase of zero trust implementation.

With the appropriate level of privileged access control, organizations can effectively shrink their attack surface, preventing, or at least mitigating, the impact of an external attack or insider threat (whether intentional or inadvertent).

Conclusion: Zero Trust Requires A Shift in Security Strategy

The most important things to remember when implementing a zero trust strategy are that:

  • The traditional ways of protecting data networks are no longer adequate for today’s threat environment.
  • No one vendor can provide a complete zero trust security architecture. Organization need to work with multiple interoperating solutions and vendors to meet zero trust mandates and provide comprehensive security.
  • Security can no longer stop at the agency’s front door; it must extend to wherever the user accesses the network.
  • Security planning must evolve for the future of zero trust This will entail learning more about user behavior patterns and implementing security based on anomalies with each identity.

BeyondTrust solutions help secure all cabinet-level Federal Civilian agencies and over 100+ Defense Department environments. We are trusted across all 4 branches of the DoD, including the 4th estate, with ATO’s both on the classified and unclassified side. Please contact us to discuss how we can assist in your agency’s zero trust journey, and download our expert dialogue for more insight into the government cybersecurity landscape from leading cybersecurity experts.

Learn More:

  • Privileged Access Management is Essential to Zero Trust: A Candid Discussion with Government Cybersecurity Experts
  • Security for Government Agencies
  • Zero Trust Identity Security Datasheet


Datasheets

Zero Trust Identity Security for Public Sector Agencies

Photograph of Josh Brodbent

Josh Brodbent, RVP, Public Sector Solutions Engineering

Josh has more than 20 years in IT experience and has architected identity and privilege access management solutions for over 3 million user accounts. He joined BeyondTrust in 2018 as a Senior Solutions Engineer and was quickly selected to lead the team. Prior to BeyondTrust, he was a senior Solutions architect for Quest Software. He began his career by founding a managed service provider (MSP) at 12. He held multiple industry certifications by 14, making him the youngest in the nation to do so. That MSP went on to become successful, and ultimately his launching point into Public Sector architecture and support.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From March 3, 2022:
Microsoft 365 (M365) Security Best Practices: Administration & Privilege
From March 14, 2022:
Turbocharging your IT Service Desk

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.