4 minute read
3 First Steps Towards Adopting Zero Trust
3 First Steps Toward Adopting Zero Trust
An interview with Michael Phetteplace, Director of Cybersecurity, Sterling
Advertisement
The Biden administration’s recent executive order (EO) on cybersecurity has put zero trust security at the top of the agenda.
By directing federal agencies to develop plans for adopting zero trust security for network architectures, the EO makes a strong case for why state and local agencies should follow suit.
“Zero trust security is about eliminating our bad habit of allowing implicit trust in our systems,” said Michael Phetteplace, Director of Cybersecurity at Sterling, an IT solutions provider. “In the past, everyone took for granted that perimeters were secure and wouldn’t be breached. Now, everyone needs to understand that breaches are inevitable and plan accordingly.”
Phetteplace shared three important steps that can help agencies start implementing the directive to adopt zero trust security:
1. Adopt multi-factor authentication
Multifactor authentication (MFA) improves the security of the user verification and login process. The traditional username and password combination is augmented with additional factors that are not as easily compromised, such as hardware or software tokens, SMS passcodes or fingerprints. Once verified, users can access resources like data or networks.
“Multifactor authentication has become a fundamental security requirement,” Phetteplace said. “It is the first line of defense against credential compromise.”
Using MFA, agencies can increase the likelihood that their users are who they say they are. After all, it is harder for cybercriminals to obtain multiple evidence factors.
2. Segment networks
Network segmentation is another cornerstone of zero trust security. Using network segmentation, agencies can improve IT systems’ overall security by dividing them into sections based on security needs.
“Agencies need to take a fresh look at their environments,” Phetteplace said. “Assets that don’t need to communicate with one another shouldn’t be granted the ability to do so.”
Network segmentation can also keep cybersecurity incidents from paralyzing agencies. Take data breaches. During security incidents, network segmentation can keep cybercriminals from venturing deeper into agencies’ data.
3. Encrypt data
Data encryption is the act of converting information into a format that, ideally, only authorized parties can decipher. Government employees protect sensitive information, such as Social Security numbers, about the public they serve so data encryption can help prevent painful cybersecurity incidents.
“If attackers get access to data, it is of little use to them if it is properly encrypted,” Phetteplace said. “Also, have we secured encryption keys and mechanisms properly? We need to ensure we don’t provide bad actors the capability to decrypt our data.”
Companies like Sterling can give agencies the building blocks they need to implement zero trust security agencywide – whether it is from users to networks to data centers or to the cloud. In addition, Sterling provides solutions that automate cybersecurity processes for agencies using artificial intelligence (AI) and machine learning, gathering and processing threat intelligence from multiple sources at machine speed.
Over time, the more that agencies embrace the EO’s message, the more public-sector employees can focus on scoring mission wins.
The Technology Modernization Fund
State Government Cybersecurity
The Technology Modernization Fund (TMF) is a pool of funding loaned in installments to federal agencies for technology modernization projects like cybersecurity initiatives.
State agencies often have more budget dollars and employees than their local peers, but fewer of these resources than their federal equivalents.
$1 billion
the funds Congress provided to the TMF for modernization efforts — including cybersecurity — as part of the American Rescue Plan. Signed into law on March 11, 2021, the $1.9 trillion bill aims to stimulate the economy in response to the COVID-19 pandemic. Source: General Services Administration (GSA)
4
the number of top priority categories available for potential TMF proposals. In May 2021, cybersecurity was listed alongside modernizing high-priority systems, public-facing digital services, and cross-government services and infrastructure as top priority proposal categories. Source: GSA
No. 1
the ranking state chief information officers (CIOs) assigned to cybersecurity and risk management when asked to rate their top 10 priorities for 2021. Source: National Association of State Chief Information Officers (NASCIO)
8
the number of consecutive years state CIOs ranked cybersecurity and risk management first among their top 10 priorities as of January 2021. Source: NASCIO
StateRAMP
State Cybersecurity and IT Modernization Rankings
StateRAMP is a nonprofit organization that certifies cloud solutions that meet basic cybersecurity standards for holding state and local data. The group is modeled after the Federal Risk and Authorization Management Program (FedRAMP), which determines if cloud solutions meet certain security requirements for storing federal data.
January 2021
StateRAMP launched after being conceived in February 2020.
Source: StateRAMP
April 2021
StateRAMP membership officially opened to state and local government officials and cloud providers.
Source: StateRAMP
The Internet Association’s (IA) State, Local, Tribal, and Territorial Information Technology Advancing Reform Achievements (SITARA) scorecard rates states’ cybersecurity preparedness and IT modernization strategies.
0
states achieved “exceptional” or “excellent” ratings for either their cybersecurity preparedness or IT modernization plans in 2020. The SITARA scorecard’s other rankings are “very good,” “good,” “baseline,” “getting started” and “needs help.”
Source: IA
3
states scored “very good” on their cybersecurity preparedness and IT modernization plans in 2020: California, Florida and Minnesota.
Source: IA
