Adopting zero trust and associated identity solutions is a governmentwide effort across government as agencies stand up their strategies in meeting President's cybersecurity executive order. The Department of Labor is using the directive as a linchpin for its cloud modernization strategy.
“When you start peeling back [the executive order] it really does provide a lot of tools for enabling, advancement and success,” said Paul Blahusch, director of the agency's Cybersecurity Directorate, during an ATARC virtual event. “Take the executive order and find out where it benefits us ... and allow IT to enable the mission better through the application of the executive order.”
As part of the shift, Labor is evaluating how it can integrate advanced security measurements to align with the order as it transitions to the cloud. Biden’s order calls for agencies to update existing plans to prioritize resources for the adoption and use of cloud technology and adopt zero trust architecture for migration, among other requirements, to ultimately secure data and IT systems.
“The executive order itself actually reaches out and drives some federal IT to the cloud,” Blahusch added. “Accelerating movement to secure cloud is part of the direction in the executive order. All of the other things in the executive order wrap around that.”
The executive order also sets new requirements for vendors in a move to improve visibility and transparency. Blahusch said that developing relationships with vendors should be continually enhanced through tools and technologies like zero trust architecture, incident reporting and software bills of material (SBOMs) as the security landscape grows. Additionally, implementing standardized security requirements could mitigate exposures and cyber risks.
“There’s a lot of things in the executive order that both drive security to the cloud, but also help federal agencies — in a common way — embrace that,” Blahusch said.
Vendors working with the agency also need to develop and adopt zero trust principles to minimize risks. This is particularly important as agencies develop new hybrid work models that rely on bring-your-own devices (BYOD), which Labor is also working toward.
“An individual zero trust enabling technology may go out of style quickly. The principles behind zero trust have a long lifespan," Blahusch said. "Micro-segmentation, so if you do get compromised ... it will isolate it down to a smaller component of your environment."
Blahusch noted that BYOD have the potential to improve employee productivity and morale. However, if these personal devices are left unprotected, they can present serious security challenges.
“It comes down to how much I can get visibility into the device,” Blahusch said. “[BYOD] does open up a conversation, but it’s not binary. It would be a ‘yes, but’ for me. Yes, we will allow it, but there must be all these things where we have at least visibility and at most some control ... within their device that we can then say is trustworthy.”
Similar to other agencies, Labor is developing SBOMs in its broader cloud strategy to gain more visibility of how solutions are built.
“As a federal agency, we have a responsibility to protect the data and services regardless of who hosts it or where it’s at. We can’t contract away that responsibility,” Blahusch said. “I can only adequately protect those data and services if I know what to protect and the risk environment. I must know how that is being protected when it's in a cloud service provider. This transparency is needed to inspire a trusted relationship.”
Looking ahead, the agency plans to develop ways to validate security to better enable continuous IT improvements. Security teams within development environments should evaluate how to scale up authentication processes while still meeting high security standards to limit delays to IT updates.
“Cyber and IT are not 'set and forget,'” Blahusch said. “That’s why transparency and visibility into the cyber posture is so important.”