Three Reasons the Private Sector Should Take Notice of the Cybersecurity Executive Order

The recent Executive Order, signed by President Biden in May 2021, is a response to a series of high-profile cyberattacks on targets such as SolarWinds, Microsoft Exchange, and most recently, the Colonial Pipeline. Realizing that information-sharing and stronger cybersecurity standards are critical to maintaining a strong defense in an evolving threat environment, the federal government has mandated measures to implement security best practices.

What Changed?

Without public trust in the nation’s digital infrastructure, the engines of global commerce and government services are at risk. This executive order has addressed the issue not with a generalized call to improve security, but rather specific technologies that once implemented, stand the best chance of preventing future attacks.

To encourage this tightening of security, the US government is stepping forward to “lead by example” by adopting these measures throughout the public sector. To maximize this initiative’s impact, however, this Executive Order calls on both the public and private sector to reach a standardized technological baseline that will enable coordination in reporting incidents and preventing threats. This also means that security measures once thought of as nice-to-have roadmap features will now need to be implemented with far greater urgency.

Three Things you Need to Know

1. If you work with or plan to work with the federal sector, you’ll need to be compliant
   Standards implemented at the federal level will become the baseline for what is considered a strong cybersecurity posture throughout the private sector. In fact, the Executive Order explicitly states that the “private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” Specifically, the field-tested building blocks of identity protection – multi-factor, risk-based authentication and conditional access – will become a standard, both for networks in the federal domain and those vendors with whom the US government contracts for services.

2. Security is a major barrier for adoption of cloud technologies
   The Executive Order mandates “accelerating movement to secure cloud services”. Full network protection, however, requires uniform security capabilities not only on cloud services but also on the on-premise assets that often comprise part of a hybrid network. Typically, a hybrid network has multiple IAM products, each managed separately and offering varying levels of security. Consolidating these security products across all resources and access attempts is essential for identifying and managing cybersecurity risks. With a unified identity protection framework in place, assets can be migrated to the cloud with full confidence that they will remain secure.

3. Zero Trust approaches are becoming a new standard
   Developing a plan to implement Zero Trust Architecture is mandated by this Executive Order, so this stance is quickly moving from concept to reality. Until today, the prevalent approach was Zero Trust Network Access (ZTNA), which focuses on the device and the network segment it’s attempting to access. This can be difficult to implement in enterprise environments without needing to rebuild networks. Another approach that is gaining interest these days is an Identity-Based Zero Trust approach, which considers the user’s identity and behavior profile to determine the risk level and applies dynamic, risk-based access controls. Each access attempt is evaluated individually; a user’s identity is never fully trusted until they prove they are indeed who they claim to be.