The EO came on the heels of the COVID-19 pandemic, which accelerated digital transformation for many organizations in the public and private sector. Nearly overnight, organizations shifted to remote work and cloud migration became a more immediate requirement.
Continue reading to learn three major takeaways from their discussion.
EO 14028 helped increase Zero Trust implementation
Both Barlet and Chaillan agree that there has been progress towards Zero Trust since last May’s executive order. The order has helped security teams at federal agencies – and private organizations – continue discussions and get funding for Zero Trust initiatives.
As Barlet and Chaillan said, “An executive order never hurts.”
Most importantly, security teams now have government-backed evidence for Zero Trust security strategies.
“It makes it a lot more helpful for those trying to implement Zero Trust to have something to point to and use as a reference,” said Barlet.
And for many agencies, discussions about Zero Trust began with the executive order. According to Challain, it helped change people’s minds about Zero Trust, moving consensus away from traditional cybersecurity models towards modern best practices.
Legacy security tools have focused on the perimeter, but the dispersed, hyper-connected nature of modern networks means the perimeter no longer exists the way it once did. This leaves networks vulnerable to attack.
“Story after story, year after year, we hear people spending all this money trying to prevent a breach, but there’s no discussion about what happens after a breach occurs,” said Barlet.
“Zero Trust seems to imply that you’re not going to try to prevent breaches – and that’s not the case,” explained Barlet. “We’re not going to give up on trying to prevent a breach, but let’s also plan for that one mistake or vulnerability that allows a breach to get in and how we can prevent a catastrophic attack.”
Overall, Barlet and Challain recommended agencies get visibility into network flows, turn off unnecessary communication, and implement Zero Trust Segmentation, also known as microsegmentation, to limit the spread of a breach.
Zero Trust Segmentation for federal agencies: Just start somewhere
Though the idea of segmenting the network has been around for years, Barlet and Challain discussed the ways today’s sprawling networks make traditional segmentation methods using IP addresses or VLANs nearly impossible. They both advocate for segmentation to be on a much smaller scale.
In particular, Barlet said networks require Zero Trust Segmentation to protect against the ever-increasing number of users, applications and environments that open vulnerabilities for attackers to enter.
“You need to know who’s accessing what, where, and when. Then, you need to know which of those communication flows are unnecessary and can be blocked. When you take all those questions as a whole, it’s very daunting,” said Barlet.
There’s no need to complete an entire Zero Trust Segmentation project at once. Barlet and Challain recommend an incremental approach to avoid high costs, confusion, and potential administrative bloat.
“Don’t try to do everything at once. Just start somewhere,” said Barlet.
By narrowing the scope of a Zero Trust Segmentation project at the start, Barlet and Challain agreed that agencies can:
Avoid being overwhelmed by the details.
Immediately improve their cybersecurity posture.
Get an opportunity to prove Zero Trust’s efficacy for future initiatives.
“The only way you’ll get anywhere in your Zero Trust journey is to get started. Success breeds success,” said Barlet.
Get more information on Illumio and Zero Trust Segmentation:
RSA Conference Highlights: New Approaches for Today's Cyber Threats
During the last two years, organizations have shifted to increasingly hybrid, distributed IT infrastructure models, which have opened up all-new cybersecurity vulnerabilities and risks. Meanwhile, we have seen one devastating cyberattack after another reach news headlines.