To meet the goals outlined in the President’s Executive Order on Improving the Nation’s Cybersecurity, follow-on guidance specific to the move to zero trust was issued in the Federal Zero Trust Strategy memorandum. One specific task requires agencies to select “at least one FISMA moderate system” to make internet-accessible. Agencies should consider including the selection of this application in their implementation plan, due to OMB in March 2022. Once submitted, the work has to begin to “allow the secure, full-featured operation of the internet,” by January 2023.
This task, and all of the other tasks outlined in OMB M-22-09, are steps needed to meet the goal to accelerate agencies toward a shared baseline of early zero trust maturity. Zero trust is the right approach for the scope, scale, and mission of today’s government. Allowing for secure, efficient access to data and systems from anywhere is paramount to the functionality of a modern, responsive government enterprise. However, making applications internet accessible doesn't mean leaving them open to the internet.
A new path to secure apps
The overarching vision for applications and workloads is that “agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.” Many agencies are meeting this by transitioning private applications that once ran solely in the data center to public clouds while maintaining high levels of security that do not impact user experience or performance.
Traditionally, this access has been hairpinned through the Agency’s network via Virtual Private Networks (VPNs), but as the memorandum states, agencies can no longer rely on VPNs to make these connections. Not only are VPNs cumbersome for end users and administrators alike, but they also open up attack surfaces by exposing IP addresses. Zscaler was born out of the idea that there had to be a better way than VPN to connect remote users to the applications they need, and we’re ready to help agencies meet the internet-accessible mandates.
What does internet-accessible look like?
A zero trust approach is a wholesale break from “how we’ve always done it.” It embraces the idea that the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. Instead, the internet becomes the Agency’s new transport network. Applications are individually secured and invisible to unauthorized users. Application access is based on context - consumed from existing identity and access management (IAM) solutions - and should not require network access. When a user tries to access an application, policy is checked and, if authorized, they are pushed to the closest instance of that application, leading to better performance and experience. This approach achieves application segmentation and limits lateral movement.
In this model, remote users can leverage the internet as untrusted transport for secure, encrypted zero-trust access that connects the user only to authorized applications, rather than connecting the endpoint to the network. This eliminates the need for complex network-centric controls to prevent unauthorized lateral movement. Additionally, existing protections such as multi-factor authentication (MFA) and endpoint security can be integrated into the context for access decisions.
How do you manage the internet as your network?
With zero trust, you remove the need for users to be on the network--regardless of whether the application is in a traditional data center or a modern cloud environment. Agencies can standardize on a single cloud security service simplifying access across multi-cloud environments. With applications in the cloud, administrators can gain a clear understanding of who is accessing what and when. It also enables real-time views into activity and the health of applications, servers, and connectors.
This approach provides consistent access experience whether users are remote or in office, and regardless of how applications are hosted. The zero trust principles of context-based, least-privileged access are applied in a modern framework that integrates existing security elements such as IAM, MFA, endpoint protection. Agencies can meet the requirement for internet-based access while retaining full visibility and granular control over all user access.
With the right approach, any application can be accessed with these zero trust principles.