Zero Trust in 5 Minutes
On January 26, the President of the United States issued an executive order to mandate zero trust cybersecurity principles in government agencies. The fundamental notion is that each system or application within the federal government should never assume that any other system or application has not been hacked or tampered with. How big of an impact will these changes have, and who will be affected?
This will impact every Federal employee and contractor, and every system, as login and application security will need to change to a zero trust model. Today’s model mimics the classic process of badging in to get into a building and then you are good to walk around, while zero trust will at some levels be closer to badging at each floor and every locked door with all internal and external traffic becoming encrypted.
Other key takeaways:
- Goodbye VPNs (Virtual Private Networks). VPNs provide remote connection to internal networks, but give an misleading sense of security. With zero trust, users log into the various websites and applications they need directly using SSO (Single Sign On) technology, and each service is hardened to be directly exposed on the internet. No more need for clunky agents, or log on jams as everyone turns on their PCs at the same time.
- Multi-factor authentication (MFA) is widely adopted in the private sector within the last few years. This memo adds MFA as a core technology for government. MFA enables every employee to more strongly verify their identity and access control in real time.
- Encrypted email has been a moving target since the 90s, and an effective implementation will be something to watch. It requires changes from the private sector, with multiple competing open and private encryption technologies in use. However, this can pay off big as email is a substantial attack vector.
- Password requirements are changing. This memo takes a hard stance against some traditional password rules. Lengthy, complex and frequently changing passwords are leading to poorer security as employees get frustrated and are using less secure passwords overall.
Overall, expect more work on the backend to make systems more secure by default, but for each user to be able to interact with systems more directly and independently. Fingers crossed for less group chats about VPN outages, and more about getting the big work accomplished!
This post was researched and written by Camille Clayton and Nadya Primak.
