A few decades ago, cyberattacks rarely made headlines. Today, it’s hard to go one day without being notified of a breach. Over the pandemic, ransom attacks alone grew by 150%, and global cybercrime damages are predicted to cost up to $10.5 trillion annually by 2025.
But hackers aren’t just targeting huge companies like CNA Financial anymore 一 they are targeting US infrastructure and state municipalities. These attacks are becoming so prevalent that in May 2021, the Biden administration released an Executive Order on Improving the Nation’s Cybersecurity. The order decrees that federal agencies must adopt Zero Trust principles as they overhaul decades-old networks.
Although the new “good-enough-for-government” cybersecurity mandate is for federal US agencies, small to medium-sized enterprises (SMEs) should be embracing the same preventative measures to protect themselves and their customers. In this piece, we’ll talk about the purpose of Biden’s Zero Trust mandate, how it should work in practice, and how you can apply similar techniques in the private sector.
What Is the Purpose of the Zero Trust Mandate?
The growing rate of cyberattacks and the need to migrate agency work to cloud infrastructures have necessitated a change in how the US protects its systems and data. As a first step, the Biden administration is implementing a Zero Trust mandate based on the Zero Trust model. This is a complete paradigm shift in the way the government has secured its infrastructure, networks, and data in the past.
Rather than relying on one verification at the perimeter, US agency users, devices, applications, and transactions will now be verified before authentication. Beyond that, network access will be limited and monitored, and system data will be continuously collected and analyzed. While it won’t happen overnight, the Biden administration sees the Zero Trust mandate as a means to safeguard US citizens’ privacy, preserve the economy, and bolster trust in the government.
What the Zero Trust Mandate Means in Practice
Eventually, the US government wants to get to a place where no system, actor, network, or services operating within or outside of a security perimeter is trusted. To achieve this, they will need to enable:
- Intelligent security automation
- Identity and access management (IAM)
- Encryption and application testing
- Asset inventories
- Safe use of cloud services
The elements might sound familiar, as they also contribute to a robust Zero Trust security model in the private sphere. For example, multi-factor authentication (MFA), VPN, conditional access, and single sign-on (SSO) are staple security practices in many large US companies. In fact, 24% of IT professionals have already adopted Zero Trust security, and 33% more plan to implement it by the end of 2021.
SMEs are starting to follow suit, too. They’ve realized that without Zero Trust security, they aren’t just compromising the integrity, confidentiality, and accessibility of their own data; they are also potentially exposing their customers’ data. On top of that, remote work is becoming mainstream. With more cloud-based applications in use, securing digital workspaces becomes even more critical.
5 Regulations From the Zero Trust Mandate Every Business Should Emulate
The federal government has a lot of work to do in the coming months to fully adopt a Zero Trust model. However, to make strategic overhaul more manageable, they’ve broken it down into eighteen requirements each agency must achieve by 2024. While nearly all of these conditions are relevant to business owners, five should be a part of any organization’s security framework.
- One single sign-on for all applications – Like the government, companies have different divisions that use different cloud-based tools. Using one single sign-on to access all applications narrows risk and increases productivity.
- Eliminate MFA that includes texted codes – Multi-factor authentication is a hallmark of Zero Trust security, but delivering codes by text message is essentially an invitation for smishing (SMS phishing). Instead, use push notifications or universal second factor to authenticate.
- Eliminate archaic password policies – Forcing staff to remember long, complex passwords and change them every two weeks is an annoying exercise that many employees don’t take seriously. Consider using a password manager that stores passwords securely via one-way hashing and salting.
- Encrypt and segment traffic – When transmitting data over public networks, you need traffic and transmission encryption to thwart hackers trying to slip from one application to another. Industry-leading authentication protocols like LDAP, RADIUS, SAML, and agent-based binding can help encrypt and segment traffic.
- Reduce the use of VPNs – Cyberattackers are getting smarter by the day, finding new ways to penetrate company VPNs and gaining unauthorized access to sensitive data and systems. Privileged access management, or PAM, can make one internal system securely accessible from the internet and reduce VPN use.
Applying Zero Trust in Your Organization
The federal government isn’t necessarily known for being on the cutting edge of innovation, but in this case, they might be further along in their security journey than you are. If you’re an IT admin or decision-maker in a small or midsize enterprise that hasn’t implemented a Zero Trust architecture, you need to.
Having a Zero Trust security policy is a must-have in this unprecedented cybercrime climate. Zero Trust security models streamline your security measures, create a more straightforward experience for your employees, and serve as a foundation for completing SOC, HIPAA, GDPR, and PCI compliance requirements. While it can seem like a daunting project, there is software and comprehensive platforms that can help.
JumpCloud’s Directory Platform is a comprehensive cloud directory that can natively apply and maintain Zero Trust protocols. With a built-in core identity provider, integrated multi-factor authentication, LDAP and RADIUS authentication, system management features, and web authentication, your company can unify IT resources, all while providing a more secure workplace. To learn more about the JumpCloud platform, sign up for a free account to see it in action. You can secure up to 10 users and 10 devices for as long as you need until you scale to more.