The Federal Government Zero Trust Mandate
President Biden signed an executive order which mandated the adoption of the zero trust model for federal agencies in order to improve the nation’s cybersecurity and protect federal government networks. Shortly after the Cybersecurity and Infrastructure Security Agency (CISA) released a statement:
“President Biden’s order is an important step forward in bolstering our nation’s cybersecurity. We face cyber threats from nation states and criminal groups alike, and because the federal government must lead by example, the executive order will catalyze progress in adopting zero-trust architectures across the federal government."
This is huge for remote browser isolation companies like WEBGAP, it's sort of like a seatbelt manufacturer just before the law mandating seat belts came into force, with RBI written right into NIST’s Zero Trust Architecture Standard (800-207) as a foundational component, it means that WEBGAP is in for a busy few years!
Legislation can take years to come into force, and the government needs to improve their cybersecurity right now. An executive order is like a shortcut to legislation, it enforces an immediate requirement for federal agencies, and the hope is that this will be more widely adopted in the private sector. President Biden issued the order forcing federal agencies to adopt the zero trust model by 2024 because cybersecurity teams at the Department of Defense, the National Security Agency and the Department of Homeland Security have decided that implementing a zero trust architecture is by far the most practical method of improving the government's cybersecurity.
In simple terms, zero trust is a security framework that requires all of its users (in or outside your organization) to be authorized, authenticated and then continuously validated before they can access applications, resources and data. The clue is in the name, zero trust means we don’t trust you to access X by default until we have validated that you are who you say you are and have permission. Zero trust also makes the assumption that there is no ‘edge’ to the network anymore, before your network edge perimeter was mostly confined to your office, but nowadays the network can mean the cloud, remote workers working from home and users on mobile devices in and outside of the office. Zero trust also addresses the cybersecurity challenges facing modern businesses, including ransomware, the risks of browsing the internet, remote or home workers, hybrid cloud environments, and supply chain users.We here at WEBGAP align with the NIST 800-207 zero trust standard, we think its a vendor neutral, comprehensive and well written standard, not just for government agencies but for any organization moving towards zero trust.
Zero trust architecture requires that networks, assets and users are micro-segmented, and this is where remote browser isolation comes into play with zero trust. The default position of RBI is that any website you visit cannot be trusted and must therefore be isolated by default, in reality a secure web gateway decides which URLs are isolated or not, but the model is a zero trust one. As with SASE, you can't really do zero trust properly without micro-segmentation down to browser level, browser isolation is key because browser or browser tab sandboxing alone is not enough to satisfy the zero trust standard. This is why we here at WEBGAP see our future in the larger zero trust and SASE ecosystem, RBI is a foundational component of both models and you can't really do either without an RBI component, it's written into the standard.
The Executive Order laid down a mandate which will undoubtedly strengthen the cybersecurity posture of the US government, should it be effectively implemented, and the thinking is that the executive order is effectively a roadmap for developing a reference architecture that federal agencies must adopt by 2024 and this is why NIST 800-207 is important, it defines the zero trust reference architecture and this makes it an important resource that the private sector can leverage and use to build their own zero trust architectures without having to create their own interpretation and ensure it is compliant with the standard. Looking ahead towards 2024, we can expect to see the entire US government rapidly move towards a zero trust posture with their cybersecurity efforts and this in turn will, hopefully, spur the private sector to follow suit strengthening the cybersecurity of the whole nation in the process. We here at WEBGAP believe that zero trust is the future of cybersecurity, and we understand the pivotal role that the technology we build plays in this wider context. It is for this reason that we recently launched the world's first zero trust consultancy, as some of the early zero trust pioneers in the space we have a lot of experience to offer and share with our customers. Get in touch for a conversation!
If you would like a zero trust conversation click here to schedule a video or phone call with us.