On May 12, President Biden issued an Executive Order (EO) on improving cybersecurity in the United States to improve the nation’s cybersecurity and protect Federal Government networks. It tasks the Federal Government to “improve its efforts to identify, deter, protect against, and respond” to malicious cyber campaigns. It also states:
“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
As anyone who works in cybersecurity can tell you, what the President is asking for in this EO is no small undertaking. This complex and wide-ranging EO features aggressive timelines – agencies were on the hook to provide implementation plans for complex tasks such as supply chain integrity and Zero Trust Architecture within 30 and 60 days of the 12 May signing of the Order. But the challenge is sprawling and complicated. Trying to do too much at once can lead to paralysis as too few people try to tackle too many projects, miss deadlines, or make quick decisions that may lock agencies into sub-optimal choices on security.
A practical solution to the problem is to prioritize. Although removing barriers to sharing threat information (Section 2) and enhancing software supply chain security (Section 4) are both undeniably important, a good place to start is by modernizing Federal Government cybersecurity (Section 3). Taking these fundamental steps toward modernization first improves the odds of the requirements listed in the other two sections actually coming to fruition.
Modernizing Federal Cybersecurity
To modernize cybersecurity, Section 3 of the EO calls out a number of different areas of improvement. But because cybersecurity gets complex quickly, the first step for Federal agencies –especially smaller ones– should be to find a source of trusted advice and counsel. This recommendation is especially important for agencies with a smaller resource base because they face the strongest imperative to “spend smartly.” This advice can come from government peer groups such as the Federal CIO Council, non-profit organizations, or industry partners. A trusted partner can help an agency in:
- Identifying and taking full advantage of device consolidation. For example, an agency might be planning to upgrade only one thing, but the right solution can save money and resources currently being spent on maintaining multiple security solutions, even if it doesn’t turn on the additional capabilities right away.
- Identifying solutions that offer zero-touch or low-touch provisioning and operation. (These features are particularly helpful for organizations that are under-staffed.)
To find areas of the greatest impact to IT performance and security, organizations should also learn from what others have already done or plan to do. There’s no need to reinvent the wheel, and any cybersecurity solution based on a platform of interoperability capability is likely to outperform non-platform point solutions because of the synergy between capabilities a platform offers. This is another are where relying on the expertise and investment of others can save both time and money, while significantly increasing the security of the network.
Faced with an inability to identify the ‘best’ platform for their needs, some may be tempted to try to hedge their bets by diversifying and consciously spreading their investment across multiple platform ecosystems. But splitting investments across platform families does not increase defense in depth, it minimizes synergy. To help with efforts to consolidate solutions while maintaining interoperability, Fortinet for example has developed an open ecosystem comprised of over 400 vendors and products able to interoperate with the Fortinet Security Fabric platform.
Such an integrated approach would facilitate rapid and tangible progress of the other capabilities and strategies outlined in the EO. At a high level, Section 3 of the EO states that agencies need to accelerate migration to cloud technology, implement a zero-trust architecture, improve cloud security, multifactor authentication and data encryption, centralize and streamline access to cybersecurity data to drive analytics, and improve communication and training. Achieving this is likely to be difficult when trying to build a solution out of disparate elements. Fortunately, truly integrated solutions exist that can address each one these areas.
Zero Trust Architecture
Section 3 dictates that agencies must move to a zero-trust approach to security by implementing strong authentication capabilities, network access control technologies, and application access controls. Zero trust network access (ZTNA) is an element of zero trust access that focuses on controlling access to applications. ZTNA verifies users and devices before every application session to confirm that they meet the organization’s policy to access that application. A key element of the ZTNA concept is that security is independent of the location of the user. Users inside the network should not enjoy any more trust than users that are outside the network or even temporarily working off-line. With ZTNA, the application access policy and verification process are the same whether the user is on or off the network.
Fortinet is well-positioned to enable firewall-based ZTNA to better consolidate and optimize security deployments and management in any environment, coupling application access and connectivity with a full stack of enterprise-grade security. And the release of FortiOS 7.0 enables every FortiGate customer to natively employ Zero Trust Network Access (ZTNA) capabilities from their existing FortiGate solution. Fortinet’s approach to ZTNA evolves beyond traditional models that validated the user and device, established VPN connectivity, and then essentially treated the user as if they were working from their physical office and inside the network. Fortinet’s approach helps to reduce the attack surface by verifying the user and device for every application session while also hiding business-critical applications from the internet. And ZTNA from Fortinet further simplifies management by enforcing a consistent access policy whether users are on or off the network.
Cloud security is a key issue for many Federal agencies, especially those with computing assets in private, hybrid, and public cloud environments. Fortinet SD-WAN allows remote sites, such as branch and field offices, to connect more easily to networks and/or multiple-clouds with lower latency, better performance, and more reliable connectivity. And Fortinet has expanded its passive application monitoring for SaaS and multi-cloud applications in FortiOS 7.0 for better user-experience to support users working from anywhere.
Secure Access Service Edge (SASE) combines network and security functions with WAN capabilities to extend networking and security capabilities. This provides users, regardless of location, with the protections provided by firewall as a service (FWaaS), secure web gateway (SWG), zero-trust network access (ZTNA), and threat detection functions.
Fortinet is the only SASE vendor to provide consistent, enterprise-grade protection across every network edge due to its security-driven networking strategy, which combines security and networking functions into a unified solution. FortiSASE delivers its advanced security over the cloud, which eliminates common security gaps. But because every element is part of the same FortiOS deployment, whether deployed on-premises, in a remote location, or in the cloud, a full-featured FortiSASE solution is also fast to deploy and intuitive to manage, while providing centralized visibility and control across distributed hybrid environments.
Multi-factor authentication (MFA) verifies the identity of a user by requiring them to provide multiple credentials before being granted access to network resources. With traditional password entry methods, a bad actor only has to figure out a username and password, which often are easy for hackers to acquire. MFA relies on the principle of ‘something you have plus something you know (like a userid and password). Uusers must provide at least one form of identification based on something like a fob or token that generates a one-time code, making it more difficult for malicious actors to masquerade as a legitimate user. Without providing all of the required factors, the user would not be able to gain access.
Data Analytics, Communication and Training
The intersection of increasingly mature artificial intelligence (AI) and machine learning (ML) with security platforms is a potentially transformational element that can be leveraged to meet some of the EO’s requirements. An AI-enabled security platform can both minimize the likelihood of network penetration and limit the damage should a breach occur.
AI-powered instrumentation and advanced analytics can support a network of sensors that can identify normal and abnormal activity in real time, and even differentiate between merely abnormal and malicious activity. It turns what is often touted as one of cybersecurity’s greatest challenges—the growing size and complexity of the attack surface—into a net advantage, using this surface as a giant collection network capable of detecting would-be intruders before they succeed in penetrating their target. And because of its speed and accuracy, the use of AI and automation not only saves staff time, it has the potential to take away the attacker’s advantages of stealth and speed.
The smart use of AI/ML and automation can also help compensate for the cybersecurity workforce skills shortage that agencies continue to face. The improved visibility and control provided by an effective AI/ML implementation can be both global and granular, extending both around the world and down to the level of specific application processes running on a device. And the ability to make and implement decisions in sub-second timeframes can be crucial for enabling solutions such as dynamic zero trust architectures that can detect and respond when an authorized user begins to behave abnormally.
The Fortinet Security Fabric continuously assesses risk and automatically adjusts policies and configurations to provide comprehensive real-time protection across the digital attack surface and attack lifecycle. Powered by FortiOS, the Security Fabric enables consistent protection across the extended digital attack surface through solution interoperability, complete visibility, and granular control for hybrid deployments including hardware, software, and X-as-a-Service across networks, endpoints, and clouds.
The Time for Modernization Is Now
Cybersecurity modernization isn’t optional and the Executive Order says it best:
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.