Digital transformation in the Federal government is shifting the focal point of security to the user and device – not the data center. As Federal IT leaders look to keep pace with new modernization and cybersecurity requirements, they need platforms and capabilities that support fresh approaches to security and data.
Secure access service edge (SASE) modernizes how network security protects users and agency information, whether they traverse the open internet, utilize cloud applications, or access private resources located in agency data centers. The main concept of a zero trust architecture model is “never trust and always verify.” Agencies will be implementing zero trust to improve the government’s cybersecurity posture.
MeriTalk recently spoke with Craig Mueller, vice president of Federal sales at cloud security firm iBoss, to discuss how SASE and zero trust can help agencies modernize and meet mission requirements supporting the hybrid government workforce.
MeriTalk: There’s been a lot of buzz around what Gartner has categorized as SASE. Can you give us a quick summary of SASE?
Mueller: SASE stands for Secure Access Service Edge. It’s a security framework outlining the combination of security and network connectivity technologies, with the idea that the new “edge” of your network is the user, rather than the network perimeter.
Essentially, SASE allows security policies to follow the user regardless of their location, device, or destination. This means users no longer need to navigate from a remote location all the way back through an agency data center to access required security policies. As you can imagine, this ability is a necessity for today’s “work from anywhere” government workforce.
From a modernization perspective, the value here is the ability to limit reliance on legacy tools for repeated authentication across multiple platforms that all require traffic decryption, proxies, firewalls, and data loss prevention. Managing all of this separately is complex, time consuming and impacts the user experience. Consolidating and simplifying the environment while centralizing policy enforcement gives agencies a streamlined, secure framework capable of satisfying the end user and achieving mission success.
MeriTalk: Much of the Federal workforce plans to continue teleworking in some form moving forward. How will moving to a SASE platform help?
Mueller: Prior to the pandemic, roughly 3 percent of government employees teleworked. Today, the number has shot up to more than 60 percent of employees, and at the height of the pandemic it’s safe to assume it was more like 80 to 90 percent. The only way agencies were able to make this sudden, sharp adjustment securely was to backhaul all remote user traffic to data centers via virtual private networks (VPNs) to ensure employees had the necessary security. In some cases, they just let personnel access resources directly, without any – or very limited – security.
Implementing a SASE platform leveraging core zero trust principles will help modernize Federal networks and security to keep pace with the government’s ever-evolving mission and business requirements. The Office of Management and Budget (OMB) has made remote work a part of those business requirements, and the Biden administration’s May executive order makes cybersecurity a priority. One of the key tenets in the executive order was the requirement for agencies to implement a zero trust architecture. We’ve had an enormous cultural shift in the Federal government regarding secure remote work, and we’re not going back to the way things were prior to the pandemic. That’s really where a zero trust connectivity platform like iBoss comes into play, offering increased security, reduced cost and complexity, improved user experience, and ability to meet the mission that agencies need in this new hybrid workforce reality.
MeriTalk: How can a SASE platform help achieve the goals set by the Biden administration regarding implementing zero trust architecture?
Mueller: If you look at NIST SP 800-207, “Zero Trust Architecture,” the architectural foundation starts with zero trust access. There’s an untrusted zone where users and devices are, looking to access an enterprise resource, and applications, systems, and data that are in an agency’s trusted zone. Sitting in between them and making the decision to grant or deny access is the policy enforcement point (PEP). A key feature of a SASE platform is that PEP and the flexibility and granularity of the policies it allows. Zero trust access enables government agencies to give users access only to the specific applications and data they need to complete their duties, without connecting to the network via a VPN. VPNs provide open access to any resource on the network, which increases the risk of compromise by a bad actor – whether that’s an external adversary or an insider threat.
In the zero trust realm, because the user is never granted access to the network, the agency gains more granular control over network security policies. The risk of lateral movement within a compromised resource is eliminated because users are directly on the application – not inside the network.
Agencies know that moving from a legacy, perimeter-based security model to a zero trust, cloud-delivered security as a service capability isn’t like flicking a switch. It takes thoughtful planning to understand an agency’s current state and its individual constraints and priorities, to tailor a strategy that provides immediate benefits. At iBoss, we focus on visibility, alignment, and expectation setting so that agencies can measure, track, and quantify the value they’ll derive from this modernization during the planning stages. Too many vendors try to fit square pegs into round holes when it comes to modernization. At iBoss, we understand that the process will be different for each agency, and agencies need flexibility.
MeriTalk: Most government agencies have a substantial amount of legacy network security infrastructure. Where and how can they start thinking about moving these security services to the cloud?
Mueller: It comes down to each individual situation. Some agencies may already have their applications on the cloud, so shifting their security controls to the cloud isn’t an issue. However, a larger organization with legacy applications in data centers will have a different strategy and approach.
Currently, we are working with several Department of Defense (DoD) agencies to enable access to Microsoft 365 for thousands of employees without having to traverse through the Defense Information Systems Network, which crushes the user experience. It’s a paradigm shift for DoD business operations. We’re also working with a number of civilian agencies as they look to implement TIC 3.0 guidance while moving towards a modernized, zero trust architecture.
It really boils down to agencies taking careful stock of their current situation and planning for where they’d like to go. NIST SP 800-207 does a nice job outlining the initial steps –what assets, users, and business processes encompass the legacy perimeter network – and how these map across the zero trust continuum. When we think of transformation and moving to a zero trust architecture, we try to understand: What does the plan look like? How can we get quick wins with limited risk? Does the agency have the expertise to get there by themselves? How will the funding support the project? Each one has a destination in mind, and each one has a unique path to get there.
MeriTalk: What unique capabilities does iBoss provide that will benefit agencies as they embark on this digital transformation?
Mueller: Our biggest differentiator is our architecture. We built our cloud-native security as a service platform from the ground up, utilizing software containerization to isolate traffic and enable the fastest, most secure connectivity. We enforce zero trust security access in one platform, using one global policy and administration engine across all security microservices, minimizing cost and complexity.
Another key capability is providing private dedicated IP space to enable agencies to rout traffic directly from remote users to cloud applications rather than having to backhaul traffic through their TIC so they can get the correct source IPs. This dramatically increases performance while simplifying administration and reducing costs. As a result, our users can take public cloud applications and turn them private, bringing zero trust directly to the connection level.
We can also deliver this security service in a true, hybrid cloud format, allowing the FedRAMP cloud service to be stretched into an agency’s private cloud with on-premises hardware as it begins to modernize and retire legacy systems. It wouldn’t matter if the user was in headquarters, a branch office, sitting at Starbucks, or working from home – we’re able to protect that user.