Getting buy-in from agency leaders to prioritize investments into zero-trust security has been challenging. But the pandemic — resulting in work-from-home initiatives and the loss of physical access controls — is forcing agency leaders throw their security and access planning assumptions out the window.
With the loss of the ability to manage devices, control software updates and establish trust for users accessing government systems, CIOs and CISOs need to build security strategies that future-proof their agency against new threats and cyber risks, according to a new report.
The FedScoop report, “Pandemic Forces Agencies to Accelerate Zero Trust Security Plans,” underwritten by Duo Security, looks at two key pillars of establishing zero trust: centralized authentication and strong digital identity capabilities.
Core tenets of zero trust
“Ideally, agencies want to get to a place where it doesn’t necessarily matter what credential an employee was issued, or whether or not the employee is using a managed device. With strong MFA and identity assurance, the organization can centralize a policy engine in such a way as to determine whether or not access should be granted,” says the report.
That means reprioritizing what security and access controls look like when establishing trust for bother users and devices, according Helen Patton, advisory CISO at Duo Security, now part of Cisco.
At the top of risks to address, says Patton, are compromised privileged accounts which allow for the lateral spread of breaches across the network. This is especially true with shared administrative accounts.
“If agencies are still using accounts with just a password and no multi-factor enacted, they are missing critical controls to authenticate that the user is who they say they are,” Patton warns.
She goes on to explain that in shared admin accounts, “agencies give multiple users access to a primary username and password. These are the kinds of weaknesses threat actors hope to exploit to gain access and move laterally across the network.”
Two of the core tenets of zero trust require that an organization see where authentication is occurring — at the application level — to enact policy engines where they will be most effective; and authenticate digital identity to gain insight into the network, the perimeter and what devices are accessing agency resources.
Zero trust controls in action
Patton illustrates how these modern security controls can work during an active security incident.
In January 2021, when Apple announced the iOS 14 vulnerability, Duo’s parent company, Cisco, implemented a policy change for access authentication.
“In a matter of minutes, Cisco rolled out the policy to all of its protected applications accessed by more than 400,000 endpoints, making it a requirement for devices to install the iOS 14.4 update before they were able to connect to the network,” explains Patton.
At the end of the day, dynamic policies helped Duo and Cisco push a policy updates across the network and place responsibility with the user to manage their device and access.
Read more about modernizing authentication controls to allow your agency to react quickly to the next security threat.
This article was produced by FedScoop and sponsored by Duo Security.