Skip to content

Search the site

A prayer for Zero Trust: US Government agencies prepare for critical deadline

“You don’t get to a place called Zero Trust and it’s unicorns and rainbows. It is a journey that we have to be on."

In the US, people are literally praying for the successful implementation of Zero Trust.

By the end of fiscal year 2024 (September 30), every government agency is required to have built the architecture to allow compliance with this loosely defined security paradigm, which is often described as a kind of "religion" rather than a standard to be complied with (or bought as a service).

“For every agency, it is a journey, it is not a destination,” said Clare Martorana, US Federal CIO at the Executive Office of the President of the United States recently, as she announced that agencies are about 90% of the way towards achieving their mandated goal.

“You don’t get to a place called Zero Trust and it’s unicorns and rainbows," Martorana continued. "It is a journey that we have to be on."

Zero Trust is likely to become a standard adopted by organisations, industries and territories around the world in the wake of the federal mandate, Carl Herberger, CEO at Corero Network Security, told The Stack.

Through "compliance, costumes and courtesy", Zero Trust is likely to define all interconnected systems going forward, Herberger says - describing it as more of a "way of life" than a technical implementation, "not unlike adopting a personal religion or culture."

However, he pointed out that not enough thought has been given to the potential risks and challenges of blindly drinking the Kool Aid.

He tells The Stack that "almost all" Zero Trust implementations are "leveraged and wrought by single-points-of-failure". "If they are rendered unavailable or service is disrupted, the entire operations fail," he warned.

"Examples of this would be Multi-Factor-Authentication (MFA) which is a high tenant in Zero Trust," he said. "If the MFA service doesn’t render properly no one has access.

"Another example is DDoS protection. Most (if not all) common deployments of SASE/SD-WAN come with little-to-no DDoS assurances, leaving many to jokingly call these solutions Zero Access during times of cyberattacks.’

A screenshot of the memo setting the date for Zero Trust implementation
A screenshot of the memo setting the date for Zero Trust implementation

More than zero: The risks of Zero Trust

Zero Trust follows in the footsteps of other globally adopted US standards, hinting at its potential global influence.

Jonathan Wright, Director of Products and Operations at networking company GCX, told The Stack: "Similar to NIST 800-53 which has become the de facto security control standard globally, the US federal mandate is likely to drive the broader security community to operationalise Zero Trust as a standard of practice.’

But while Zero Trust is a useful starting point, challenges around knowing exactly what devices are in place remain, Wright said - particularly in manufacturing settings.

He added: "The addition of operational technology (OT) assets and Industrial Internet of Things (IoT) devices makes it even harder to get that full understanding of everything that is connected to the network. Network segmentation is an effective way to secure things, but it can make it harder to see and understand asset inventories, especially when teams run in silos and don’t communicate with each other."

Wright says that the biggest challenge lies in simply know where everything is within their data centre and network environments.  

He said: "For many teams, the single source of information around assets is their configuration management database, or CMDB. By getting accurate knowledge of what you have in place, you can achieve your goals around applying the right security rules wherever and whenever those rules have to be applied."

Zero Trust is critical to reducing the blast radius of security incidents, said Ev Kontsevoy, CEO of cybersecurity firm Teleport - and it’s "encouraging" to see it adopted within federal agencies. 

But more work remains to be done, he believes. 

Kontsevoy said: "This is not the end of the Zero Trust journey. Plenty of companies have figured out how to authenticate users and enforce Zero Trust at the network level in the last few years. 

‘But many haven't done so at the application and workload layer, which means they have not solved the more comprehensive challenge of enforcing a fully Zero Trust architecture for their cloud and data centre operations. To end rampant breaches, companies must extend Zero Trust enforcement to applications and workloads. 

"It's also important to remember that for as essential as Zero Trust access is, a unified view of access relationships between all your resources in your organisation is just as important. It is very hard to enforce Zero Trust access if you don't centralise things like visibility, auditing, enforcement of policies, and compliance with regulations all in one place. This is where a lot of companies still stumble in their cybersecurity strategy."

Implementing Zero Trust in the US

US Government agencies were first ordered to join the Zero Trust movement in 2021, with the publication of the Executive Order on Improving the Nation’s Cybersecurity. A memo called M-22-09 then oredered the date of implementation.

It set the following goals:

  • Federal staff have enterprise-managed accounts, providing secure access while protecting against sophisticated phishing attacks.
  • Devices are consistently tracked, monitored, and assessed for security posture before accessing internal resources.
  • Agency systems are isolated, and network traffic between and within them is encrypted.
  • Enterprise applications are internally and externally tested, allowing secure internet access for staff.
  • Federal security and data teams collaborate to create data categories and security rules that detect and block unauthorized access to sensitive information.

"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted," the memo added, quoting the Department of Defense Zero Trust Reference Architecture.

"Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

As the deadline approaches, a group called The Presidential Prayer Team is asking followers to pray "for CIO Martorana to seek God’s wisdom as she oversees the implementation of zero trust measures."

They are also praying "for cyber security professionals as they seek to safeguard government technology and systems."

We'll leave it up to you whether you want to join them.

Join peers following The Stack on LinkedIn

Latest