As part of the Biden administration’s broad Cybersecurity Executive Order (EO) released in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) released three trust documents zero last week. Zero trust is a security concept that “eliminates implicit trust in an element, node, or service and instead requires continuous verification of the operational image through real-time information from multiple sources to determine the access and other system responses,” according to the EO. .
From the perspective of a cybersecurity practitioner, zero trust is a security approach that, among other things, relies on rigorous authentication and authorization processes to give users the necessary access to digital assets, but in a restricted manner that limits damages in the event of a breach or compromise. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to embed zero trust cybersecurity security models across the federal government.
Documents released last week offer preliminary versions of these models. CISA and OMB call them “strategic and technical guidance documents intended to move the US government toward a zero-trust architecture.”
Federal Strategy Seeks Common Ground of Zero Trust Early Maturity
The first document is a draft Federal Zero Trust Strategy to move civilian agencies toward a common zero trust maturity baseline. It builds on a Zero Trust Maturity Model articulated by CISA in June that is based on five pillars:
- Identify based on the agency-wide use of “phishing-resistant” multi-factor authentication
- Devices tracking in an inventory of all devices operated and authorized for government use to better detect and respond to any incident
- Networks segmented around applications and encrypted DNS queries and HTTPS traffic
- Apps rigorously tested, with all apps automatically assumed to be connected to the internet
- Data on a clear shared path to deploy protections that use deep data categorization. Additionally, the model asks agencies to take advantage of cloud services and implement enterprise logging and information sharing.
Comments on the zero trust strategy are due on September 21. Agencies have until November 6 to develop FY22-24 plans for implementing this architecture. Agencies are also required to designate a zero-trust architecture implementer by October 7.
A fly in the ointment is that, to date, no funding is available to achieve this “radical paradigm shift in the philosophy of securing infrastructure, networks and data”. According to the OMB, agencies should “reprioritize” their FY22 budget to meet targets or find funding elsewhere. Government offices must also develop a FY23-24 budget to achieve their zero trust priorities that year.
The Zero-Trust Maturity Model is a conceptual roadmap
The second document is CISA’s Zero Trust Maturity Model itself. This “pushes agencies to adopt zero-trust cybersecurity principles and adjust their network architectures accordingly.” The maturity model is more of a conceptual roadmap for achieving an “optimal zero-trust environment.” Public comments on the Zero Trust Maturity Model are due October 1.
Security Technical Reference Architecture Aims to Ease Migration to the Cloud
The third document is the Cloud Security Technical Reference Architecture, which the administration sees as a key aspect of moving the government closer to zero trust principles. It tells agencies how to migrate to the cloud safely.
Released last month by CISA, in conjunction with the United States Digital Service (USDS) and FedRAMP, the Reference Architecture is a 46-page cloud migration guide designed to help agencies make this transition in a way which allows them to better identify, detect, protect, react and recover from cyber incidents. Comments on the architecture are due October 1st. CISA will work with USDS and FedRAMP to produce a later version of the guidance after the comment period.
Lack of funding and technical debt pose challenges
These documents are “steps in the right direction,” Theresa Payton, CEO of Fortalice Solutions and former White House CIO in the George W. Bush administration, told the CSO. But the federal government faces challenges between the idea of zero trust and the practical reality where the rubber meets the road.
One of the first challenges is the lack of funds for agencies to adequately implement zero trust. “A lot of these executive orders are unfunded mandates. Typically, a bucket of cash doesn’t fall from the sky. It’s up to the Office of Management and Budget to figure out what appropriations have been allocated to encourage departments and agencies to allocate previously earmarked funds to the executive order,” Payton says.
The biggest challenge for government agencies is getting to grips with the relatively new and not immediately achievable goal of zero trust. “One of my favorite movies is Monty Python and the Holy Grail. The quest for zero-trust architecture is the search for the Holy Grail. Unfortunately, the Killer Rabbit [that impedes the crusaders’ search for] the holy grail is the technical debt that most businesses and government agencies face, as well as skills shortages.”
Payton offers multi-factor authentication, which underpins the identity pillar in CISA’s model, for example. “A very basic principle of zero trust requires multi-factor authentication,” she says. “Many organizations, departments and agencies in the private sector don’t have multi-factor authentication in place. The idea that we’re going to sprint to get a plan in place and then we’re going to sprint to a zero-trust architecture when multiple – factor authentication has been around for a decade” and has yet to be universally adopted illustrates the slow adoption of new security technologies, she says.
Renovations will be incredibly difficult to complete
EO’s zero-trust provisions “are all steps in the right direction, but in practice and execution, they’re incredibly difficult to achieve,” Payton said. “It’s very likely that the systems that are already in place for many departments and agencies won’t scale easily to a zero-trust architecture. So I always tell people that the best way to think about zero-trust is that actually it’s not trust,” Payton says.
“It’s about continuously monitoring every live connection you have and never trusting those live connections. For every connection, you need to have transparency, visibility, the ability to authenticate and constantly monitor. This is why zero-trust architecture in fighting cyber crimes and reducing an attack surface is incredibly useful, but it’s also incredibly difficult to achieve.”
The private sector should also review zero trust documents
Despite tight deadlines, most interested parties, including private sector organizations, have known since May that these zero-trust documents are coming. Commentators should be relatively well placed to respond, Payton says.
“I strongly encourage not only departments and agencies, but anyone, any organization that is in an industry vertical where a department or agency is your oversight or your regulator to also review these materials and post comments,” he said. Payton said. “Typically [these kinds of requirements] will grow from a department and agency to private sector organizations that fall under this industry vertical. »
Copyright © 2021 IDG Communications, Inc.