3 Takeaways on Zero Trust From Executive Order 14028

In May 2021, the Biden Administration issued Executive Order (EO) 14028, charging federal agencies with the task of enhancing cybersecurity and specifically recommending Zero Trust security practices.  

The EO came on the heels of the COVID-19 pandemic, which accelerated digital transformation for many organizations in the public and private sector. Nearly overnight, organizations shifted to remote work and cloud migration became a more immediate requirement.

In addition, multiple high-profile cyberattacks significantly impacted supply chains, including SolarWinds, Colonial Pipeline, and JBS meat processing. 

Now, a year after EO 14028, it’s possible to look back and see what progress has been made in implementing Zero Trust across federal agencies.  

Illumio’s Gary Barlet, Federal Field CTO, joined Nicolas M. Chaillan, former CISO of the U.S. Air Force and Space Force, to discuss the impact of EO 14028 in a webinar organized by the Institute of Critical Infrastructure Technology (ICIT).  

Watch the webinar here:

Continue reading to learn three major takeaways from their discussion.

EO 14028 helped increase Zero Trust implementation 

Both Barlet and Chaillan agree that there has been progress towards Zero Trust since last May’s executive order. The order has helped security teams at federal agencies – and private organizations – continue discussions and get funding for Zero Trust initiatives.  

As Barlet and Chaillan said, “An executive order never hurts.” 

Most importantly, security teams now have government-backed evidence for Zero Trust security strategies.  

“It makes it a lot more helpful for those trying to implement Zero Trust to have something to point to and use as a reference,” said Barlet.  

And for many agencies, discussions about Zero Trust began with the executive order. According to Challain, it helped change people’s minds about Zero Trust, moving consensus away from traditional cybersecurity models towards modern best practices. 

This follows Zero Trust’s growing private-sector success in the last few years — and shows how far the federal government and military are lagging in cybersecurity. 

“The next couple of years will be an interesting time with more Zero Trust successes. It’s a change in mentality that’s necessary going forward to succeed,” explained Barlet.  

Federal agencies use Zero Trust to minimize the impact of inevitable breaches

Beyond an executive order, Zero Trust has real benefits for protecting organizations against today’s sophisticated cyber threats.

Legacy security tools have focused on the perimeter, but the dispersed, hyper-connected nature of modern networks means the perimeter no longer exists the way it once did. This leaves networks vulnerable to attack. 

“Story after story, year after year, we hear people spending all this money trying to prevent a breach, but there’s no discussion about what happens after a breach occurs,” said Barlet.  

A Zero Trust strategy assumes breaches will occur and offers ways to mitigate the impact of an attack once it occurs.  

However, both Barlet and Challain agree that there has been some confusion about what Zero Trust means in practice – and how it fits into existing security architectures.  

“Zero Trust seems to imply that you’re not going to try to prevent breaches – and that’s not the case,” explained Barlet. “We’re not going to give up on trying to prevent a breach, but let’s also plan for that one mistake or vulnerability that allows a breach to get in and how we can prevent a catastrophic attack.”  

Overall, Barlet and Challain recommended agencies get visibility into network flows, turn off unnecessary communication, and implement Zero Trust Segmentation, also known as microsegmentation, to limit the spread of a breach.  

Zero Trust Segmentation for federal agencies: Just start somewhere 

Though the idea of segmenting the network has been around for years, Barlet and Challain discussed the ways today’s sprawling networks make traditional segmentation methods using IP addresses or VLANs nearly impossible. They both advocate for segmentation to be on a much smaller scale.  

In particular, Barlet said networks require Zero Trust Segmentation to protect against the ever-increasing number of users, applications and environments that open vulnerabilities for attackers to enter.  

Despite the pressing need for Zero Trust Segmentation, Barlet and Challain noted that many agencies are overwhelmed by the process.  

“You need to know who’s accessing what, where, and when. Then, you need to know which of those communication flows are unnecessary and can be blocked. When you take all those questions as a whole, it’s very daunting,” said Barlet. 

There’s no need to complete an entire Zero Trust Segmentation project at once. Barlet and Challain recommend an incremental approach to avoid high costs, confusion, and potential administrative bloat. 

“Don’t try to do everything at once. Just start somewhere,” said Barlet.  

By narrowing the scope of a Zero Trust Segmentation project at the start, Barlet and Challain agreed that agencies can: 

• Avoid being overwhelmed by the details. 
• Immediately improve their cybersecurity posture. 
• Get an opportunity to prove Zero Trust’s efficacy for future initiatives. 

“The only way you’ll get anywhere in your Zero Trust journey is to get started. Success breeds success,” said Barlet. 

Get more information on Illumio and Zero Trust Segmentation:  

• Learn more about how governmental organizations can stop the spread of breaches with Illumio.
• Download the Forrester Wave reports naming Illumio a Leader in both Zero Trust and microsegmentation.   
• Take ESG’s Zero Trust Impact Assessment to learn how to get more out of your Zero Trust strategy. 
• Contact us today to schedule a consultation and demonstration.