Netskope applauds the White House’s Executive Order on Improving the Nation’s Cybersecurity, especially the rigor with which short-term deadlines and some clear-cut plans of action are described.
DarkSide ransomware and the attack on the Colonial Pipeline is just one recent example of events that have disrupted national critical infrastructure and put the privacy and safety of millions of individuals at risk. Public-private partnerships have never been more important than they are today, and tight, politics-free collaboration is imperative if we’re to evolve our cyber defenses. We are pleased to see the Biden Administration stepping up to support this hugely important priority, and we plan to continue Netskope’s work with government, industry, and our customers and partners to further this agenda.
A continuous Zero Trust mindset
The White House’s Executive Order highlights many specific areas of interest for not only federal government security, but how we should be thinking about security and network architecture everywhere. As the Executive Order notes:
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
According to the Executive Order, agency heads are required to update existing agency plans, develop a plan to implement Zero Trust Architecture based on current NIST migration steps, and report on progress—within 60 days of the order. This is powerful, not least because it helps bring Zero Trust back down to earth from how over-marketed the term has become in recent years. It helpfully frames Zero Trust in architecture terms—something Netskope has also underscored and that we’re seeing as common to the success of our many customers worldwide.
In a modern architecture, Zero Trust principles should be judiciously applied, adaptively and continuously. But today, many organizations don’t have much more than isolated “Zero Trust projects” focused on networks, users, devices, or isolating servers. The main miss on most of these projects is that they are focused on application-level access and other pieces, but not focused on the data. Architecturally, we must go beyond access control and isolation to provide continuous Zero Trust: real-time access and policy controls that adapt on an ongoing basis based on users, devices, apps, threats, and data context.
This data-centric approach is the only effective way to dynamically manage risk across a mix of third-party applications and a remote-first workforce that needs always-on access to cloud apps and data to stay productive. As the Executive Order calls out in Section 10, item K:
“Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources…”
Proper application of Zero Trust principles is also a critical step toward Secure Access Service Edge (SASE) architecture. SASE isn’t specifically mentioned by the White House’s Executive Order, but as the Order explains, applying Zero Trust at an architectural level means “a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network b