Report: Government Implementing Zero Trust Architecture Faster than Corporations

dem10/Getty Images

Government’s speedy zero trust implementation is noteworthy for an institution that is “not usually ahead of the curve,” according to a report.

Government agencies are ahead of corporations in adopting and implementing zero trust security architecture with 72% of government organizations already utilizing a zero trust framework in comparison to 56% of companies, according to a report released Tuesday by IT company Okta.

For the whitepaper, entitled, “The State of Zero Trust Security 2022,” Okta surveyed 700 security leaders globally “to assess where they are on the journey toward a complete zero trust security posture.” A zero trust framework is a security policy that distrusts all entities by default and requires all users inside and out of a network to be continuously authenticated, authorized and validated for security protection, as a user navigates throughout a network.

Zero trust has “become this natural evolution of security,” Okta’s Federal Chief Security Officer Sean Frazier told Nextgov. “Zero trust kind of went up to the top thing that everyone was starting to care about, because it really is kind of what I considered to be the inevitable security architecture of the stuff that we're dealing with now.”

One reason the government has been ahead of industry counterparts is federal mandates regarding zero trust. In May 2021, President Joe Biden issued an executive order to strengthen federal government computer systems and networks via zero-trust architecture, among other things. In September 2021, the administration released draft zero-trust architecture guidelines. Agencies have until the end of September 2024 to meet five zero trust goals: identity, devices, networks, applications and data.

“I've been working with the public sector for many, many years and they're not usually ahead of the curve, usually quite the opposite,” Frazier said. 

He explained that about five or six years ago the Federal CIO Council began to look at zero trust, figure out what it meant for them and decide how to adopt it. At the same time, there was also an increase in telework, which was accelerated by the COVID-19 pandemic. The National Institute for Standards and Technology and others also started to develop standards on how to implement zero trust. 

Frazier added that the executive order, as well as other government directives, “did light a fire on it and accelerated it quite a bit.”

While the executive order does not provide funding on its own, according to the report, 87% of government agencies have seen an increase in their budget to support these zero trust initiatives. Specifically, 16% reported a significant increase and 71% reported a moderate budget increase. Agencies can also apply to the Technology Modernization Fund for funding to enact zero trust initiatives.

“In government, we tend to not really like these things called ‘unfunded mandates,’” he said. “If you can kind of change your mindset a little bit and think about zero trust as just a natural evolution of security, you don’t say, ‘oh, I need an extra budget for this, because it’s a different thing.’ It’s not really a different thing. It’s just evolving what you’re already kind of doing.”

The report also highlights the importance of identity measures for government agencies as part of their zero trust initiatives. Earlier this month, NIST and the Cybersecurity and Infrastructure Security Agency published guidance for identity and access management after the SolarWinds attack, which includes the implementation and use of zero trust architecture. The report found that 19% of government respondents found the identity pillar to be critical.

Frazier noted that identity and access management is “the first pillar of zero trust for a reason, because it’s kind of the linchpin of all this stuff.” 

According to the report, only around 7% of government organizations already have or are soon planning to have passwordless access. Meanwhile, approximately 22% of financial service company respondents and 16% of healthcare and software companies utilize this. The report states that passwordless access includes “using high assurance factors such as factor sequencing, biometric-based logins through web authentication (WebAuthn), and Universal 2nd Factor (U2F) security keys.”

The report also highlights that “government respondents plan to make significant strides across the maturity curve in the coming 12-18 months. Specifically, their plans amount to nearly doubling progress against six of the 12 identity projects on the curve, prioritizing initiatives like deploying MFA for employees and user groups.” The report notes that government entities were behind other respondents for identity projects, but are expected to work on these in the future. 

“It’s not something you ever implement and then kind of take your foot off the gas and say, ‘we’re done,’ because security is pervasive, it’s something that evolves, it’s something that has to live with you,” Frazier said. “That’s why I call it a kind of a lifestyle choice more than anything else.” 

But when it comes to zero trust, government and industry aren’t just competing to have more implementation first. 

“The public-private partnerships [are] important, because that’s actually where this kind of started with the CIO Council,” Frazier said. 

That council is made up today of agency chief information officers and designed to establish standards and recommendations for federal IT management.

Frazier added that partnerships allow for the sharing of information, “best practices and learning what other people are doing; figuring out how you can leverage that [is] super important.” 

He also noted the importance of aligning on open standards, particularly for identity, data sharing and risk sharing information. Additionally, he emphasized the importance of focusing on security throughout the whole process of an application. 

“If we don’t think about security from the beginning … then we just leave holes. The more holes we leave, the more holes there are for [an] attacker to exploit,” Frazier said. “Security never ends, never sleeps, it’s always living with the application as people are accessing it.”