Survey finds federal agencies embracing zero-trust security model
Nearly half of federal government IT executives in a new survey said their agencies are moving away from traditional network perimeter defense tactics and taking steps to adopt identity-centered, or zero-trust, security strategies to protect their digital resources.
The survey also found, executives at agencies which have developed security strategies in line with the administration’s Federal Identity, Credentialing and Access Management FICAM policy requirements reported being better positioned to:
- Improve their risk management and security posture.
- Expand more readily to multi- and hybrid cloud environments.
- Accommodate the rapid evolution of applications and devices accessing agency resources.
- Deliver superior user experiences for the public and federal employees further along in securing their assets.
The study presents a clearer picture of how well federal agencies are embracing the shift in security practices toward a perimeter-less data environment, where identity and authentication tools are used as the primary tool for managing access to federal resources and information systems.
“Security Without Perimeters: Government’s shift to identity-centered access,” produced by FedScoop and underwritten by Duo Security, surveyed 171 prequalified government and industry IT decision makers in November 2019.
The findings not only show how far along federal agencies are in moving towards zero trust, but also points to accelerating interest to moving toward a password-less user experience and a wider range of multi-factor authentication practices.
The importance of identity-centered security
Part of the shift in security approaches reflects recent federal government mandates — from the Federal Data Strategy action plan to the OPEN Government Data Act — are placing greater demands on agencies to use and protect government data more effectively.
At the same time, public and commercial enterprises recognize that perimeter defense tactics are no longer effective by themselves in protecting sensitive data from hackers and insider threats.
Agencies, however, are making mixed progress in adopting a zero-trust approach. About half (48%) of federal government IT decision-makers reported their agency is substantially on its way to adopting an identity-focused approach to protecting access to agency resources. However, 3 in 10 government respondents say their agency still relies heavily on perimeter defense tools or policies.
But for those implementing identity verification technologies, such as multifactor-authentication, respondents report their agencies are able to accelerate their move to the cloud and more modern applications and devices.
“By surrounding their data with precision identity and access controls, agencies can better secure their information and improve the user experience for employees and citizens,” the report suggested.
Among various authentication options available to agencies, respondents ranked multifactor one-time password; randomly chosen password/PIN; and out-of-band authenticators as their top three choices for where they plan to increase investments over the next two years.
And as organizations move away from username and password, technologies such as multifactor authentication and password-less user experience will become more relevant, suggest the findings. A little more than half of respondents indicated their agencies are planning to move towards a password-less user experience within the next two years.
Challenges to implementing identity-centered security
Moving to an identity-centric, perimeter-less data environment, however, requires a combination of policy, investment and technology decisions, the report noted.
A majority of government respondents confirmed that their agency has mostly or fully completed inventory of the people, devices and other non-person entities accessing networks and applications — a necessary prerequisite to creating a zero-trust environment. However, between 41 and 48 percent of respondents said their agencies are still in the early stages of taking inventory.
And nearly half or more of respondents said their agency or organization has minimal to average capabilities in determining ensuring basic security capabilities required to establish a zero-trust environment — such as knowing which devices are owned by the enterprise and which are not, or whether communications and individual connections are secure.
Obstacles vary to adopting a zero-trust strategy, but the top three ranked reasons that agencies struggle with include a lack of staff expertise, insufficient budget and a lack of standardized IT capabilities.
While the standards for creating a Zero Trust Architecture ecosystem are still evolving, agencies now have access to several valuable resources to guide their efforts, the report concludes, including:
- NIST’s draft publication on Zero Trust Architecture components and NIST’s “Digital Identity Guidelines” publication series.
- GSA’s guide to Identity Management and catalog of ICAM solutions and shared services.
- World Wide Web Consortium (W3C) standards for WebAuthn authentication standards.
Read the report, “Security Without Perimeters: Government’s shift to identity-centered access” for detailed findings on how the progress federal government is making to move to zero-trust.
This article was produced by FedScoop and underwritten by Duo Security.
This story was featured in FedScoop Special Report: Zero Trust: Evolving Government Cybersecurity - A FedScoop Special Report