Technology and policy advances enable federal moves to achieve zero-trust

A number of factors are coming together to help federal agencies move beyond perimeter defense and implement zero-trust security practices, according to a new report.

One of these are recent changes in directives from the White House Office of Management and Budget (OMB) aimed at changing how agencies protect government data and information systems. These directives have added fresh momentum to agency efforts to shift from perimeter defense to universal identity and authentication practices to improve their security.

Read the full report.

Additionally, agencies are getting added guidance from a draft publication released by the National Institute of Standards and Technology (NIST) laying out the constructs for designing a zero-trust ecosystem, the report says. The draft promises to become an important resource as agencies wrestle with how best to deploy distributed security controls as they expand into a hybrid- and multi-cloud operating environment.

Also, federal agencies stand to benefit from new technology features that make it easier to manage identity and authentication controls arising from Cisco’s 2018 acquisition of Duo Security. Cisco’s integration of Duo’s FedRAMP-approved, cloud-based identity and access control platforms means that agencies can move more quickly to a adopt a comprehensive zero-trust security approach to protect the workforce, workplace and workload, says the report.

Agencies are in many ways better positioned than many private sector enterprises to embrace zero-trust practices, given long-standing requirements to follow federal identity and access control rules, says Duo Security’s Sean Frazier in the report, which was produced by FedScoop and underwritten by Cisco Systems.

“It doesn’t always happen, but I think the public sector actually understands zero trust a little better than the private sector because of things like ICAM [identity, credential and access management] practices that were established as a core tenet of security a long time ago. Directives like the government’s federal ICAM strategy and renewed guidance from NIST are helping agencies adopt a more agile approach to security,” says Frazier.

Roadmap for federal zero-trust security

The report outlines how this combination of policy directives and advances in technology capabilities taken together draw a more precise roadmap to enable agencies to give authorized users access to government resources while preventing abuse of access privileges.

The report points to a series of initiatives from OMB and NIST released over the past year that lay out clearer commitments for deploying identity and authentication practices, such as:

• Federal Identity, Credential and Access Management (FICAM) Policy
• Trusted Internet Connection (TIC) 3.0
• Federal Data Strategy and Action Plan
• National Institute of Standards and Technology’s (NIST) draft, Zero-Trust Architecture (ZTA) Network Strategy

Until recently, putting these concepts into practice required tremendous technical coordination, the report says. And even when there was a will, there wasn’t always an easy way, given the age and complexity of most federal IT systems.

“It doesn’t always happen, but I think the public sector actually understands zero trust a little better than the private sector because of things like ICAM [identity, credential and access management] practices that were established as a core tenet of security a long time ago. Directives like the government’s federal ICAM strategy and renewed guidance from NIST are helping agencies adopt a more agile approach to security,” says Frazier.

The combination of industry security solutions

The ability to adopt more agile approaches to security is being helped along because agencies have access to modern security solutions. Most notably with Cisco’s acquisition of Duo Security in the fall of 2018, according to the report.

The combination of best-of-breed security solutions means that Cisco and Duo Security are able to integrate Duo’s unified, cloud-delivered zero trust and multi-factor authentication (MFA) solutions with Cisco’s software-defined (SD) infrastructure access and segmentation technologies.

According to the report this means agencies can take a comprehensive zero-trust security approach which focuses on establishing trust where and when it counts: not at a network perimeter checkpoint, but at the moment an authenticated user seeks to access a specific application or resource.

“We already had much of this in place, but we did not have the workforce covered until we acquired Duo,” says Cisco’s Peter Romness, cybersecurity programs lead, U.S. public sector.

When Duo Security joined Cisco, they were able to accelerate the timetable secure FedRAMP authorization for two of Duo’s cloud-based, government-tailored access management solutions. Duo Federal MFA and Duo Federal access provide secure application access for federal agencies and other public sector customers to ensure only trusted users and trusted devices can access protected applications, the report explains.

Another advantage of the Cisco-Duo combination, says Frazier, “is the ability it brings to manage authentication and access to resources in multiple cloud environments, as well as on-premises resources. With Duo, administrators can easily add MFA to any cloud application including Office 365, Azure, Google, Workday, Box and more. Not everything belongs in the cloud. But if you can get economy of scale, you need to make sure you get security in the bargain.”

“With Cisco and Duo, you get an exciting and capable product from a startup company like Duo with the force and backing of a major player, like Cisco,” concludes Romness. “And you get the power of the network brought to bear upon the idea of multi-factor authentication and the other advantages that Duo brings.”

Read more about how government is able to move towards identity-centered security. 

This article was produced by FedScoop and sponsored by Cisco Systems.