Government leads industry in adopting zero-trust security architectures with 72% of agencies reporting at least one related initiative underway, according to an Okta-commissioned report released Tuesday.
Pulse Q&A surveyed about 700 security experts across government and industry globally and found 86% of agencies increased their budgets for zero trust programs in the last year.
Budgets have swelled following the issuance of the federal zero trust strategy in January that, while unfunded, mandated agencies submit enhanced implementation plans annually. In addition to adjusting their budgets, some agencies have applied for Technology Modernization Fund money to support zero trust initiatives.
“We’re all dealing with the same problems that we’ve always been dealing with,” Sean Frazier, Okta’s chief security officer, told FedScoop. “But the good news is the budgets are there; the knowledge and understanding are there on what we need to do to shore up and protect those things.”
Most agencies appear to be referring the Zero Trust Maturity Model’s five pillars — identity, devices, networks, applications and workloads, and data — to guide their implementations and are starting with identity, Frazier said.
Of the agencies Pulse Q&A surveyed, 66% of them had already implemented multi-factor authentication (MFA) for employees with an additional 41% planning to do so within 12 to 18 months. Those numbers were lower, 45% and 31% respectively, when implementing MFA for citizens.
Agencies that have been doing identity, credential and access management (ICAM) for a while may be looking to increase funding for secure access solutions, which generally leads them to micro-segmentation, Frazier said.
The agencies helping Okta obtain Federal Risk and Authorization Management Program authorizations are exploring identity-as-a-service, providing it to employees like they do laptops, Frazier said. That’s unlike the last 20 years of software development, where apps have traditionally been deployed with standalone identity systems — leaving agencies to figure out how to make single sign-on work across them all.
Not only does identity-as-a-service allow agencies to manage identities, onboard and offboard users, apply MFA, and secure single sign-on, but it helps them push scarce identity expertise within their organizations down to an app’s endpoints, Frazier said. The National Initiative for Cybersecurity Education (NICE) Workforce Framework, guidance many agencies use to establish their cyber work roles, doesn’t include a distinct ICAM work role — instead prescribing the requisite knowledge, skills, abilities and tasks (KSATs) to other work roles like cyber defense analyst.
“If you can have identity-as-a-service, then that’s where that technical talent lives,” Frazier said. “And you don’t necessarily have to have 100 people that know ICAM.”
One global priority that government doesn’t seem to share currently is passwordless access, which only 3.5% of agencies have implemented and another 3.5% plans to in the next 12 to 18 months. For comparison, within the financial services sector, 1.9% of companies have implemented passwordless access, but 21.7% intend to in 12 to 18 months.
While widespread adoption of smartcards in the early 2000s eliminated the federal workforce’s need for passwords, the growth of citizen-facing services that require login has seen their return because they’re easy, Frazier said.
“We’re still talking about MFA and shoring up protections, when people are using passwords,” Frazier said.