Through a memo released by the Office of Management and Budget (OMB), the Biden administration released a 30-page strategy to move the US government toward a zero-trust approach to cybersecurity. The strategy “represents a key step” in implementing May’s presidential executive order on cybersecurity, which contains a directive for federal government agencies to develop a plan to move toward a zero-trust architecture.
A buzzword in the world of cybersecurity, zero trust is a model based on the notion of “never trust, always verify”. The executive order defines zero trust as a security concept that “eliminates implicit trust in an element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses”. OMB asserts that a “key principle of a zero-trust architecture is that no network is implicitly considered trustworthy.”
The final step in a series of zero trust actions
The administration has already taken several steps under the executive order to position the federal government to embrace zero trust. President Biden’s executive order required agencies to develop their plans for implementing zero-trust architectures.
Last September, the administration released three documents that further flesh out zero trust as part of the OE. First, the OMB released a draft for public comment on steps government agencies can take to implement zero trust. The OMB memo just released is a final version of this earlier draft that reflects feedback received on the initial document.
The Cybersecurity and Infrastructure Security Agency (CISA) also released its Cloud Security Technical Reference Architecture at the same time to inform agencies of the benefits and risks inherent in adopting cloud-based services as agencies move closer to zero-trust architecture. Along with the Reference Architecture release, CISA released its Zero-Trust Maturity Model to help agencies implement Zero-Trust architectures.
The OMB memo sets out a tight schedule. Within 30 days of the release of the memo, or by February 26, agencies will need to designate and identify a zero-trust strategy implementer for their organization. Within 60 days of the OMB memo, or by March 26, agencies must build on EO-mandated plans by incorporating the additional requirements outlined in the memo into those plans. Finally, agencies must achieve five zero-trust security goals by the end of 2024.
Five Zero Trust Goals
The goals that agencies must achieve are aligned with the five pillars articulated in CISA’s Zero Trust Model. The objectives and the specific actions needed to achieve these objectives are as follows:
- Identity: The goal is for agency staff to use company-managed identities to access the apps they use in their jobs. To achieve this goal, agencies should use centralized identity management systems for agency users that can be integrated into common applications and platforms. Additionally, agencies should use strong multi-factor authentication (MFA) across the enterprise that resists phishing for agency staff, contractors, and partners. Phishing-resistant options should also be available for public users. Additionally, password policies should not require special characters or regular rotation. When authorizing users to access resources, agencies should consider at least one device-level signal as well as authenticated user credential information.
- Devices: The goal is to create a comprehensive inventory of every device the government operates and authorizes for government use and to prevent, detect, and respond to incidents on those devices. To achieve this goal, agencies must create reliable asset inventories through CISA’s Continuous Diagnostics and Mitigation (CDM) program. Agencies should also ensure that their endpoint detection and response (EDR) tools meet CISA technical requirements and are widely deployed.
- Networks: The goal is for agencies to encrypt all DNS requests and HTTP traffic in their environment and begin executing a plan to break down their perimeters into isolated environments. Actions agencies should take include resolving DNS queries using encrypted DNS wherever technically supported, enforcing HTTPS for all web and API traffic (API) in their environment, and developing a zero-trust architecture blueprint that outlines the agency’s approach to the environment. isolation in consultation with CISA.
- Applications and Workloads: The goal is for agencies to treat all applications as Internet-connected, consistently subject their applications to rigorous empirical testing, and accept external vulnerability reports. Actions required to achieve this goal include, among others, requiring agencies to establish dedicated application security testing programs, contracting high-quality application security firms for assessment by independent third parties and to maintain effective and welcoming public vulnerability disclosure programs for their web-accessible systems.
- Data: The goal is to put agencies on a clear, shared path to deploying protections that use deep data categorization, leveraging cloud security services and tools to discover, classify, and protect their sensitive data while putting implements enterprise-wide logging and information sharing. . Actions agencies should take to achieve the goals are implementing initial automation of data categorization and security responses, tagging and managing access to sensitive documents, auditing accessing all encrypted data at rest in commercial cloud infrastructure and working with CISA to implement comprehensive logging and information sharing capabilities.
The private sector pioneered zero trust
Much of what the OMB has proposed are practices that the private sector has already developed and, to varying degrees, deployed, over the past decade. Kelsey Hightower, a technologist who works at Google Cloud, told CSO that “zero trust is essentially impossible, isn’t it? But the idea that we’re practicing removing implicit trust is the point. idea is for the White House to move towards more standard industry practices of transparency and honesty in the face of the challenge.
John Yeoh, global vice president of research at the Cloud Security Alliance, told CSO, “The urgency of the memorandum comes as a result of all these attacks and vulnerabilities that we’ve seen lately.” But, he says, “Many [zero-trust actions in the memo] started even before the executive order.
Aradhna Chetal, a senior cloud security executive, co-chair of CNCF TAG Security, and co-chair of the CSA Serverless Working Group, told CSO that “we need to achieve zero trust for all of our agencies as well as enterprises. . Zero trust is not a new concept. It’s been talked about in the industry for over a decade. The concept of a stronger outer perimeter does not protect us from the current threat landscape. We needed the mandate to apply and accelerate some of what the industry has been doing.
Will government agencies act quickly?
One question is whether slow government bureaucracies can achieve zero trust goals in less than two years. “I think it’s difficult [to know] until you fully assess the current state of your agency or program,” Yeoh says. “We’re going to see that over the next 30 and 60 days. This will open the eyes of many organizations.
“It’s doable within the time frame assuming that federal agencies are able to acquire competent technical and engineering resources and funds are made available to them for the transition to new technologies,” Chetal said. .
“When you look at these types of timelines with milestones, they’re basically industry best practices that we already know,” says Hightower. “It’s more about giving a large group of people clarity on things that just need to be done with no excuses.”
Copyright © 2022 IDG Communications, Inc.