Business & Technology
Because many areas of the Federal government are involved with the safety and security of the country, Federal agencies have to consider the implications of almost every security decision they make. Although private sector organizations and state or local governments are occasionally targeted by nation-state adversaries, Federal agencies are consistently in the crosshairs. The cybercriminals targeting agencies are not only motivated by money, they also may want to steal data, intellectual property, and national security information. These crimes are often more difficult to detect and may include the use of sophisticated Advanced Persistent Threats (APT). Protecting against these threats is critical to national security and in the case of elections, public perception and confidence in systems.
In making decisions about security solutions, agencies have to go beyond a standard risk versus benefit analysis that a private company might use. In areas such as national defense, healthcare, and financial systems, agencies can't discount the magnitude of the risks to critical systems that protect society and human life. But agencies don't have unlimited funds either. They have to deal with the realities of fixed budgets, the availability of skilled staff, and various other priorities competing for dollars.
An unfortunate reality is that many of the systems used in the Federal government need modernization. And as agencies have digitized their systems, the "IT footprint" has grown dramatically. The human and compute resources required to assess, procure, and maintain assets at government agencies are immense, particularly when you include operational technology (OT) and industrial systems with traditional IT. As they work to modernize IT, agencies need to consider where consolidation, cloud and "as a service" models make the most sense. Vendor and product sprawl is an issue along with finding the best value for the overall infrastructure. For example, instead of purchasing a point-product, choosing a next-generation firewall (NGFW) with Zero Trust Network Access (ZTNA) and SD-WAN capabilities built-in offers an opportunity to consolidate. This type of consolidation across multiple locations can dramatically reduce the number of components that must be managed and improve overall visibility and control because fewer management consoles and dashboards are needed.
In May 2021, the White House issued an Executive Order (EO) with the goal of improving the nation’s cybersecurity. Part of the EO directs agencies to advance toward a zero-trust architecture. In January 2022, the Office of Management and Budget (OMB) explained what that directive entails, stating that "the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect our nation."
A zero-trust architecture strategy is a systematic approach that replaces implicit trust with explicit trust after verification, and it's critically important to any modern cybersecurity strategy. With zero trust, any time an application, user, or device wants to communicate with something else, the transaction must be authorized before access is granted. Additionally, cybersecurity tools and capabilities are configured to provide situational awareness as inputs into the authorization decision, such as if the source or target is potentially infected by malware.
The move to a zero-trust architecture is a transition from the previous mindset of acquiring individual tools to solve usually disparate cybersecurity problems. This approach led to the current security tool sprawl problems many agencies are working to address now. Some agencies have over 50 tools in their environment. Shifting to a holistic outcome-based approach based on zero-trust principles will ease management burdens and improve the overall security posture. As the OMB succinctly points out, the "Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data." Digital transformation requires security transformation, and zero trust goes to the heart of the problem.
The third trend driving change is the need for greater participation and coordination with other agencies and the private sector. This collaboration may be in the form of sharing threat intelligence and best practices for deploying security solutions that share data and insights to help break down silos. Cybersecurity is a problem for everyone, and solving problems alone can be a monumental task. By working together, government and industry can more quickly identify, contain, and eradicate threats. Cybersecurity aside, many government operations are also increasing work with cloud and network service providers to help them scale and modernize infrastructure.
For agencies, setting up a zero-trust architecture is a radically different approach than before. The good news is, solutions already exist that meet the EO mandate from the White House and the guidance being provided by the Federal Government. Zero trust network access (ZTNA) provides a consistent level of security regardless of the user’s location. Today, at many organizations, ZTNA is replacing prior technologies such as VPN for remote access. The best approach is to set up "universal ZTNA" so access works the same way everywhere, both on-premises and off.
To start, agencies need to examine the security gaps in their organization from a zero trust architecture perspective and then look at vendors to see how they can deliver the solutions to help them meet the requirements outlined in the EO. Instead of the piecemeal approach of the past, agencies can implement universal ZTNA by starting with a next-generation firewall (NGFW) that functions as they core of their zero trust architecture. This holistic approach delivers unified visibility, automated control, and coordinated protection to secure endpoints, networks, and application access.
Fortinet implements ZTNA access control through a combination of FortiClient client software, FortiGate firewalls that serve as access proxies, and identity management services. And those agencies that already have FortiClients and FortiGates can use the ZTNA capability by simply upgrading to FortiOS 7.0 or above.
Keep updated on the latest industry trends: Industry Perspectives
Learn more about protecting government data and infrastructure against cyber threats.