Zero Trust Requires Continuous, Tested Security for Federal Agencies – MeriTalk


By Scott Ormiston, Federal Solutions Architect, Synack

In a single week at the end of March, the Biden administration both reiterated the call for American companies to step up their cybersecurity efforts in the wake of the Russian-Ukrainian war, and asked for nearly $11 billion. in congressional cybersecurity funding for the federal government and its agencies for fiscal year 2023, an increase of $1 billion over the previous year.

A record number of common vulnerabilities and exposures (CVEs) and zero-day exploits are also contributing to the urgency felt in the cybersecurity industry, which is squeezed by a lack of talent and a boiling job market. . Meanwhile, the federal government and its agencies are in the midst of an effort to modernize their technology — a Herculean task that has the potential to expand attack surfaces and further overburden cybersecurity professionals.

Adopting an offensive and adversarial cybersecurity strategy that aligns with the federal government’s mandate to move to a zero-trust architecture can release some of this pressure by working proactively to strengthen the existing security program of your agency.

The Zero Trust Architecture, as described in Federal Zero Trust Strategy Memorandum M-22-09, is aligned with the Cybersecurity and Infrastructure Security Agency’s (CISA) five pillars of its Zero Trust Maturity Model. These five pillars include: identity, devices, networks, application workload, and data. Each pillar requires different types of tools and services to adhere to zero trust principles, all of which come together to prevent unauthorized access by making access granular and as needed.

Taking a closer look at the Application Workload pillar, optimal functionality should be designed for continuous testing. When an application is in development, security testing for federal agencies should be done regularly and continue once deployed. After applications are deployed, CISA recommends ongoing external monitoring.

Common themes across the five pillars include continuity and externality. Why? Because this is how adversaries scan attack surfaces for potential threat vectors; they continually learn from organizations’ security measures and improve their own approaches. The adversary is 24/7 looking for a way in, so security teams must work harder to match.

To move to zero trust, security teams need to establish whether their existing security systems and processes are working as intended. Performing external and internal tests and getting a contradictory view on current security tools will show where to prioritize remediation efforts.

Synack provides dedicated application security testing that enables federal agencies to comply with mandates, advancing their steps toward zero trust principles. Agencies that select Synack will also benefit from its FedRAMP Moderate In Process designation, indicating that 325 security checks have been met to improve the safety of users working in Synack’s FedRAMP environment.

As former National Security Agency and Department of Defense technical security experts, Synack’s founders know first-hand the importance of securing federal operations and technologies in cyberspace.

CEO Jay Kaplan and CTO Dr. Mark Kuhr saw firsthand how difficult it was to bring together thousands of government employees and gain the security expertise needed to proactively protect themselves and effective against today’s cyberattacks and threat actors. This view led them to create Synack, the first on-demand security testing platform backed by a trusted community of ethical researchers for continuous penetration testing and vulnerability management.

“Helping defend the United States against cyberattacks is in our DNA. It’s why my co-founder Jay and I started Synack in the first place and it’s what our network of trusted ethical hackers do on the platform every day,” said Dr. Kuhr. “Synack’s FedRAMP designation is a powerful accelerator for even more federal customers to benefit from ongoing, participatory security testing, which is an essential best practice, especially in light of recent vulnerabilities such as Log4j.” The Synack offering can help organizations by responding quickly to the most pressing CVEs.

Synack has worked with over 30 government organizations on application security testing capabilities with the ability to deliver better results at scale than traditional methods, and is committed to helping agencies protect citizens and their data. Answering the Biden administration’s call that now is the time to make progress on security efforts, Synack can provide organizations with on-demand access to the world’s most trusted network of security researchers.


Comments are closed.