Netskope applauds the White House’s Executive Order on Improving the Nation’s Cybersecurity, especially the rigor with which short-term deadlines and some clear-cut plans of action are described.
DarkSide ransomware and the attack on the Colonial Pipeline is just one recent example of events that have disrupted national critical infrastructure and put the privacy and safety of millions of individuals at risk. Public-private partnerships have never been more important than they are today, and tight, politics-free collaboration is imperative if we’re to evolve our cyber defenses. We are pleased to see the Biden Administration stepping up to support this hugely important priority, and we plan to continue Netskope’s work with government, industry, and our customers and partners to further this agenda.
A continuous Zero Trust mindset
The White House’s Executive Order highlights many specific areas of interest for not only federal government security, but how we should be thinking about security and network architecture everywhere. As the Executive Order notes:
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
According to the Executive Order, agency heads are required to update existing agency plans, develop a plan to implement Zero Trust Architecture based on current NIST migration steps, and report on progress—within 60 days of the order. This is powerful, not least because it helps bring Zero Trust back down to earth from how over-marketed the term has become in recent years. It helpfully frames Zero Trust in architecture terms—something Netskope has also underscored and that we’re seeing as common to the success of our many customers worldwide.
In a modern architecture, Zero Trust principles should be judiciously applied, adaptively and continuously. But today, many organizations don’t have much more than isolated “Zero Trust projects” focused on networks, users, devices, or isolating servers. The main miss on most of these projects is that they are focused on application-level access and other pieces, but not focused on the data. Architecturally, we must go beyond access control and isolation to provide continuous Zero Trust: real-time access and policy controls that adapt on an ongoing basis based on users, devices, apps, threats, and data context.
This data-centric approach is the only effective way to dynamically manage risk across a mix of third-party applications and a remote-first workforce that needs always-on access to cloud apps and data to stay productive. As the Executive Order calls out in Section 10, item K:
“Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources…”
Proper application of Zero Trust principles is also a critical step toward Secure Access Service Edge (SASE) architecture. SASE isn’t specifically mentioned by the White House’s Executive Order, but as the Order explains, applying Zero Trust at an architectural level means “a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.” In other words—and crucial to SASE—yesterday’s security and network technologies and designs won’t even start to address the prevalence of cloud-delivered threats or attacker abuse of cloud apps, or the increasingly acute need for security and networking teams to more effectively converge and collaborate.
A call for transparency
In general, the attention paid to cloud security by the Executive Order is refreshing. It reads as a present-day discussion, covering everything from compliance to information sharing, rather than describing cloud and the need to secure data accessed from the cloud as some kind of “coming thing” that agencies still have plenty of time to prepare for.
Investing in people, processes, and technologies that properly implement Zero Trust controls in a cloud-first IT environment will do a lot to prevent and mitigate attacks, and the Executive Order discusses the need for transparency as a means to strengthen areas such as supply chain security. The Executive Order also asks various stakeholders to recommend to the Federal Acquisition Regulatory (FAR) Council an updated framework for contract language identifying the nature of cyber incidents that require reporting, the types of information regarding cyber incidents that require reporting, time periods within which contractors must report cyber incidents “based on a graduated scale of severity,” and other factors, including contract language. This is all well and good.
However, there is a bigger picture aspect to this that the Executive Order does not cover. How will our education system make cybersecurity a core piece of the curriculum, such that we can drive young people to adopt cyber careers early on and think of it as a rewarding, aspirational career path? We will make gains in the present by evolving how we think about security architecture. But we need to ensure a future in which our citizens, at a young age, are trained and have the right resources to uplift our cyber capabilities. This is another area where the current administration coul