It’s been 18 months since the president issued an executive order (EO) compelling federal agencies to modernize their cybersecurity capabilities in the face of growing threats from around the world. The recommended Zero Trust strategy would enable federal security teams to better understand their adversaries, identify where federal infrastructure was vulnerable, and work within a standardized, coordinated response process.
We’re now just a few months until the deadline to begin implementation, and we’re seeing varying degrees of success. On one hand, the DoD is well on its way toward rolling out Cloud Based Internet Isolation (CBII) for the Defense Information Systems Agency (DISA). Yet, recent data shows that only one in four defense contractors meets Pentagon cybersecurity standards. With federal agencies continuing to fall victim to high-profile breaches and the Russia-Ukraine conflict increasing the risk of cyberattacks against the U.S., it doesn’t look like cyberthreats targeting the federal government will be slowing down any time soon.
According to the Agency Guide to Zero Trust Maturity, more than nine out of ten federal officials responsible for cybersecurity are confident in their agency’s ability to defend against cyberthreats, and nearly two-thirds (63%) expect to meet the executive order requirements on time or early. Already, three-quarters (76%) have a formal Zero Trust strategy in place, while more than half (52%) are actively implementing one.
Yet, challenges remain. Nearly 60% of federal officials say that one of the primary challenges to implementing Zero Trust architecture is rebuilding or replacing existing legacy infrastructure, roughly half are having trouble identifying what technologies they need, and 48% think their agencies lack sufficient IT staff expertise.
It’s clear that federal agencies are hamstrung in their efforts to abide by the EO and implement a Zero Trust approach to cybersecurity — mainly because of their continued reliance on traditional detect-and-respond security solutions. Making security flexible and dynamic enough to protect today’s distributed agencies is extremely difficult with security architecture designed for the hub-and-spoke world.
Today’s increasingly sophisticated threats leverage highly evasive techniques to get around these traditional security tools, gain initial access to vulnerable endpoints, and then spread laterally throughout the network to steal sensitive data or deploy malicious payloads. These Highly Evasive Adaptive Threats (HEAT) rely on expanding threat surfaces resulting from digital transformation, cloud migration, and the expansion of remote working to target agencies’ weakest link — the user — by preying on people’s trusting human nature. All it takes is a single click or download of malicious content, and the network could be breached. In IT environments as sensitive as national security and as wide-ranging as public services, this risk is too great to be left unprotected.
Federal agencies need to evolve from a network-centric security approach to a use case–focused approach. Security should follow users, applications, and their workloads regardless of the underlying infrastructure. But change is hard and disruptive and can lead to unsustainable technical debt, leaving the agency more vulnerable to attack than before.
Federal agencies need to buy some time as they continue to implement their Zero Trust strategies. As they work on turning security on its head, agencies should immediately implement a cloud-based web isolation solution. Taking a Zero Trust approach, web isolation creates a virtual air gap between the user and the rest of the Internet — preventing any content, whether it’s malicious or not, from gaining direct access to the end device. Routing all traffic through an isolated layer in the cloud protects users from these HEAT attacks by cutting off access, essentially rendering them impotent.
Here are five ways that federal agencies can benefit from implementing a cloud-based web isolation solution immediately:
Web isolation allows federal agencies to focus on the first step in the MITRE ATT&CK framework — initial access. Stopping adversaries from gaining that initial foothold on an end device prevents them from lying in wait, probing the network, and looking for a high-profile target. After all, a threat can’t spread through the network if it can’t even get access. Web isolation essentially closes the door for threats on distributed laptops, mobile devices, Software as a Service (SaaS) platforms, multi-cloud environments, and other vulnerable endpoints.
Traditional detect-and-respond security solutions are an important component of a holistic security strategy, but they must be augmented with preventative solutions. Web isolation can sit on top of the existing security stack, acting as an additional security layer. No integrations with other security tools are necessary. No endpoint configurations. No complex rules or policy engines to manage. Web isolation serves as a virtual air gap between the user and any content on the Internet, completely preventing threats from getting anywhere near endpoints.
Once you know that your users and endpoints are protected, you can then start to modernize a clearly outdated security architecture that was designed for a different world, where 90% of users and applications sat inside the firewall. As more and more business is shifted to the web, updating security infrastructure to be user or application focused rather than network focused becomes much more important. Web isolation gives you the peace of mind to tear down and replace those archaic architectures without completely opening the door and putting the agency at risk.
A cloud-based web isolation solution extends security protection wherever you do business — whether it’s in a field office, at home, or poolside while on vacation. It also scales with capabilities and can be changed quickly and seamlessly without disruption. This essentially allows agencies to deploy security as code. However, there may be some instances when policies and security pressures require an on-premises solution. Many web isolation solutions can be deployed in the cloud or as a client — ensuring that agencies have the flexibility to meet any requirement.
The worst security solutions make things difficult for users — requiring them to use a different browser, deal with performance degradation, or be shut off from some segments of the Internet. These disruptions and changes to workflows encourage users to find risky work-arounds. The best web isolation solutions are transparent to the user and preserve the native browser experience. They are able to determine the intent of the entity in a very risk-free way without complex tooling or rules, making the Internet look, feel, and perform like — well, like the Internet.
Federal agencies are quickly approaching the deadline to start implementing their Zero Trust cybersecurity strategies outlined in the president’s executive order. Web isolation will allow agencies to kick-start those implementations in a seamless, nondisruptive manner. Layered on top of the existing security stack, web isolation will allow agencies to proactively protect users from increasingly sophisticated threats — giving them the opportunity to rethink and rebuild their security infrastructure without increasing risk. It’ll also put them on the road to creating agile, dynamic security policies that can be deployed as code anywhere in the world, allowing federal employees to carry out their mission wherever they are needed.