Government Agencies Lead the Charge
Okta reports that government organizations are generally ahead of their peers in their adoption of zero trust, with 72 percent of government organizations already pursuing a zero-trust initiative, compared with 55 percent of companies worldwide.
The desired outcome of the mandatory federal push to adopt zero-trust security measures is to accelerate adoption across all levels of government as well as the private sector. “Everything from federal bleeds downstream,” says Sean Frazier, federal chief security officer at Okta. He points to efforts from the Cybersecurity and Infrastructure Security Agency (CISA) that have led to better communication and information sharing across sectors.
“A lot of the CISOs at federal agencies talk to the CISOs at state agencies. They have what I consider an unprecedented level of collaboration,” he says. “Because of that, we see state and local agencies also getting on the zero-trust bandwagon.”
Slow Movement on Passwordless Solutions
Identity is the first pillar of CISA’s zero-trust model, and the majority of government agencies reportedly recognize its importance. But while 80 percent of agencies classify identity as an important element of the zero-trust strategy, according to the Okta report, only about 7 percent of have implemented passwordless access, which is a powerful approach to zero-trust.
“If we’re still struggling with passwords, then we’re still making it easy for attackers, because passwords are the weakest link of security,” Frazier says. “Passwords being the only line of defense between you and an attacker is really not a good place to be.”
Budgets and Resource Management in Federal Government
The slow adoption of passwordless access may reflect budgetary concerns: The White House’s zero-trust strategy is unfunded, though agencies can apply for funding to support zero-trust initiatives through the Technology Modernization Fund.
“In a lot of cases, state and local governments tend to be behind the curve because of resources,” Frazier says. “The silver lining is that the government mandate is more of a shift in mindset than of procurement.”
He points out that organizations likely already have many of the resources they need.
“Chances are they’ve already got an identity and access management solution, they already have an access solution, they’ve already moved some of their services to the cloud. They just need to figure out what the security models are for those. A lot of it ends up being more cultural than technical,” Frazier says.