In early 2020, almost every government agency embraced telework in response to the pandemic. With telework, employees operate outside the security perimeter that was put in place to protect them and the agency’s data. As a result, telework has had significant cybersecurity ramifications.
Lookout has a long history of collaborating with the public sector to secure agency employees. This is why I’m excited that we have been selected by the National Institute of Standards and Technology (NIST) to collaborate on its Zero Trust architecture development efforts.
Spearheaded by NIST’s National Cybersecurity Center of Excellence (NCCoE), this initiative seeks to create architectures and guidelines that will enable federal agencies to efficiently adopt Zero Trust. This project coincides with President Joe Biden’s recent executive order that led to the Office of Management and Budget (OMB) developing a roadmap requiring agencies to reach a basic Zero Trust maturity level by the end of fiscal 2024.
Lookout is joined by 19 collaborators including Amazon Web Services, Cisco, F5 Networks, FireEye, IBM, McAfee, Microsoft, Okta, Palo Alto Networks, SailPoint Technologies, Symantec (Broadcom), Tenable and Zscaler.
As we embark on our efforts with the NCCoE, I want to take this opportunity to discuss the changing security landscape, technology requirements agencies should think about as they deploy Zero Trust and the expertise Lookout brings to the table.
Supporting telework requires a new cybersecurity strategy
Zero Trust — the idea that no entity or user should be given access to an application or data until they are proven to be trustworthy — is critical in the age of telework. Perimeter-based security cannot protect employees using devices and networks that federal agencies do not control. This means agencies have not only lost visibility into what’s happening, they’ve also lost control over their data.
This is why we’re happy to see Zero Trust at the forefront of security conversations in the public sector. Not only has President Biden required federal agencies to deploy Zero Trust, his administration also recently published a draft strategy that mandates security for software applications and network resources and traffic.
The journey to deploy Zero Trust isn't as simple as purchasing a product. Currently, attempts at Zero Trust for telework often require the use of a virtual private network (VPN) with two-factor authentication, which only provides a single point-in-time risk assessment. This is insufficient because Zero Trust requires a continuous risk assessment with security policy enforcement that adapts dynamically with changes in risk level.
Zero Trust must span from endpoint to cloud
To ensure that your valuable data is secure without hindering remote productivity requires a continuous understanding of your users, their endpoints and the sensitivity level of the data they're accessing. Agencies also need the ability to enforce and monitor precise security policy based on those insights.
Single point-in-time security checks are insufficient. Zero Trust requires a continuous assessment of endpoints and users because their risk levels are constantly changing. Users are prime targets of phishing attacks that steal credentials, infect their devices with malware and spread laterally. They're also vulnerable to network threats as well as operating system and app vulnerabilities. In addition, agencies need to understand how their users behave so they can detect account takeovers or insider threats.
To make efficient access decisions that don't put data at risk, agencies also need to account for sensitivity level of the data being accessed. Zero Trust isn’t just about security, it’s also about productivity. If the response to an increase in user or device risk is to deny access to everything, then employees can’t get their work done. This is why it’s critical to have a solution that adapts to both the fluctuating risk level of users and endpoints with sensitivity level of the data they need to access, and dynamically enforce policies based on that information.
An integrated approach to Zero Trust: the Lookout Security Platform
It is great to see the federal government and the President invest in Zero Trust. The digital transformation that both the public and private sector is experiencing is here to stay. As the Cybersecurity and Infrastructure Security Agency (CISA) has continued to point out, ransomware and other cyber attacks are increasing. This is why CISA recently introduced the Joint Cyber Defense Collaborative (JCDC), an initiative that encourages government agencies to partner with industry experts.
Lookout delivers a Zero Trust solution that dynamically enforces security policies based on both the continuous risk assessment of mobile endpoints and users, and the sensitivity of the data they are accessing.
Through our collaboration with NIST, Lookout will enable federal agencies to align with Zero Trust pillars from the Cybersecurity and Infrastructure Security Agency (CISA):
- Continuous assessment of device risk posture
- User behavior visibility
- Secure application workloads
- Understand and secure data at rest and in transit
- Secure network configurations
To learn more about how we can help as you embark on your Zero Trust journey, visit: https://www.lookout.com/solutions/government