2021 POV (Not Predictions) for Federal CISOs

First of all, this is not a list of 2021 predictions for security leaders serving in government agencies. I don’t think there’s much to predict in the way of envisioning how attackers are looking to compromise federal security systems and data. That is to say, we don’t have to envision anything, we can simply observe what happened in 2020 to know what we need to do to secure government systems and data in 2021. The previous year has shown us that our adversaries’ methods are more sophisticated than ever. But attack vectors and their tools of the trade are the same as they ever were. 

After nearly a year of an extreme telework situation and the events in early January, all eyes are on security leaders. And cyber is no exception.

So the question becomes, how can government security leaders use 2021 as an opportunity to harden the security defenses that protect our constituents? I believe the answer is this—we need to adopt a true Zero Trust framework, and we need to do it now. We’ve been thinking about it, we’ve been talking about it. Now it’s time to do it.

In 2020, security leaders were at the forefront of the rapid, extreme shift to telework with COVID-19. Before the pandemic, a MeriTalk study, underwritten by Okta, found that just 40% of federal employees were authorized to telework. For government agencies, there was an added layer of risk and confusion in the remote work rollout. For example, where to direct employees when their PIV expired? What were the viable alternatives to access? How to combat the 677% increase in spear-phishing attacks? The stakes are unique for the federal government because the data is not what your average CISO at an F500 corporation has to deal with—legislative data, citizens’ data, the IT infrastructure that supports our very democracy. 

By focusing on access management and credentials, security leaders can mitigate risk for the most exploited attack vector. (After all, the easiest way to get access to a thing is to go through the “front door,” so to speak.) Make sure you are following best practices to secure credentials. For example, the NSA recently released guidance that detailed steps for locking down the use of service principals, such as auditing the creation and use of service principal credentials. The NSA guidance also encourages moving to the cloud if you can’t secure your on-prem identity system. I know from talking to customers and peers that the myth persists that on-prem is more secure than the cloud. Yet as the NSA guidance notes, “tenants relieve themselves from the burden of managing the federation of authentication and the on-premises service, and gain more of the protections that the cloud provider has in place,  including system hardening, configuration, and monitoring.” 

Leaders should be driving effective security awareness of social engineering techniques, while also configuring their auth systems to make sure they’re preventing access to the entire system if one account is breached. Enabling multi-factor auth is crucial here, especially adaptive MFA that responds to risk and context, and it should be deployed wherever possible—not just for privileged users. 

Smart, automated, robust monitoring of your federated identity environment is also important. The Cybersecurity and Infrastructure Security Agency (CISA) also released a recent alert with great insights around detection, such as using the new Sparrow.ps to identify compromised resources, or looking at impossible logins or impossible tokens. We really need automated assessments of access attempts that compare between applications and the auth methods. At a minimum, you’ll know right away if any of these mechanisms are at risk or have been bypassed.

As federal security leaders, we have a shared responsibility to adapt and remain vigilant in the face of ever-growing complexity. Our IT stacks (and by extension, our security stacks) within agencies have become too complex, too unwieldy, and they are ripe for exposure. A Zero Trust framework will certainly help us simplify our security methods. And I know it’s easier said than done. But by executing against the basic principles of Zero Trust, such as least privilege access, and adaptive MFA, we can go a long way in shoring up our defenses and keeping the adversaries out—or at least making it really, really hard for them to get in.

My team at Okta is here to help federal, state, and local leaders implement Zero Trust to deal with the “new normal” (that’s not so new anymore, now that we’re in 2021). Learn more about Okta’s solutions for the federal government. I also recommend this great post, Embracing the ‘New Normal’: How Zero Trust is Empowering Government Agencies.