Security

Federal Agencies Lead Other Industries in Zero-Trust Adoption

Government organizations are ahead of their peers generally, but progress can still be made to bolster zero-trust initiatives.

Michael Hickey

Michael Hickey is an Associate Editor at Manifest.

As technology continues to evolve rapidly, so do new cybersecurity threats. With the move to cloud-based technology, old forms of defense have become obsolete, and individuals who work remotely may be signing in using devices that are not be as well protected as their work desktops.

Zero-trust security is an answer to these new cybersecurity problems, and according to a new report from Okta, the Biden administration’s executive order is motivating the federal government to adopt the approach.

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” states a White House memo released in January. “A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment.”

The Biden administration has urged bold and swift action on adopting zero-trust architecture; Okta’s report breaks down where federal agencies stand.

Click on the banner below to learn how to become an Insider.

Government Agencies Lead the Charge

Okta reports that government organizations are generally ahead of their peers in their adoption of zero trust, with 72 percent of government organizations already pursuing a zero-trust initiative, compared with 55 percent of companies worldwide.

The desired outcome of the mandatory federal push to adopt zero-trust security measures is to accelerate adoption across all levels of government as well as the private sector. “Everything from federal bleeds downstream,” says Sean Frazier, federal chief security officer at Okta. He points to efforts from the Cybersecurity and Infrastructure Security Agency (CISA) that have led to better communication and information sharing across sectors.

“A lot of the CISOs at federal agencies talk to the CISOs at state agencies. They have what I consider an unprecedented level of collaboration,” he says. “Because of that, we see state and local agencies also getting on the zero-trust bandwagon.”

Slow Movement on Passwordless Solutions

Identity is the first pillar of CISA’s zero-trust model, and the majority of government agencies reportedly recognize its importance. But while 80 percent of agencies classify identity as an important element of the zero-trust strategy, according to the Okta report, only about 7 percent of have implemented passwordless access, which is a powerful approach to zero-trust.

“If we’re still struggling with passwords, then we’re still making it easy for attackers, because passwords are the weakest link of security,” Frazier says. “Passwords being the only line of defense between you and an attacker is really not a good place to be.”

Budgets and Resource Management in Federal Government

The slow adoption of passwordless access may reflect budgetary concerns: The White House’s zero-trust strategy is unfunded, though agencies can apply for funding to support zero-trust initiatives through the Technology Modernization Fund.

“In a lot of cases, state and local governments tend to be behind the curve because of resources,” Frazier says. “The silver lining is that the government mandate is more of a shift in mindset than of procurement.”

He points out that organizations likely already have many of the resources they need.

“Chances are they’ve already got an identity and access management solution, they already have an access solution, they’ve already moved some of their services to the cloud. They just need to figure out what the security models are for those. A lot of it ends up being more cultural than technical,” Frazier says.

ArtemisDiana/Getty Images