President Biden published an executive order targeted at improving cybersecurity in the U.S. While it gives directions for government agencies and their vendors, it’s clear that the recommendations are to be taken seriously in the private and public sectors. This comes as no surprise after recent reported attacks, including SolarWinds and the shutdown of a main oil pipeline.
While the executive order touches several areas of cybersecurity, I would like to highlight some notable ones that became extremely relevant with the work-from-home trend.
The adoption of the Zero-Trust model was accelerated when the pandemic hit the world and employees had to work from home. Soon the new reality for many organizations came down to employees everywhere, applications rapidly moving to the Cloud, and VPN service skyrocketing. It was the recipe for a perfect storm and time to rethink security policies. The Zero-Trust architecture was designed to address this kind of situation. And it’s no different for the government. Section 3a) is clear about that when it states: “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS) (…)”. Moreover, Section 3b(ii) dictates that in 60 days agencies shall “develop a plan to implement Zero Trust Architecture” with NIST recommendations.
The days where some viewed multi-factor authentication as optional are far gone and companies should see this as a non-negotiable requirement in their security practice. With so many credential-related attacks happening every day, protecting identities and access to platforms and information shouldn’t be debatable. Moreover, implementing Zero-Trust requires identifying with certainty the user trying to access the protected resource and the endpoint being used for that purpose. There is no way to create trust during authentication except by using multi-factor authentication. It’s one of the foundations for any Zero-Trust implementation, no matter how large or small your company is. And that fact is reflected in section 3, at 3d): “(…) agencies shall adopt multi-factor authentication and encryption of data at rest and in transit(..)”. And the private sector is not spared; section 4 outlines measures to enhance software supply chain security.
Overall, the executive order is quite detailed and provides a timeline that government agencies and vendors must comply with. But the main message I want to deliver regarding this announcement is that this is an outstanding step in protecting the country from cyber wars; a step that should be followed not only by every country concerned about security. It’s also a reminder to other industries and organizations that we all need to implement security measures to avoid being the next target.