White House Publishes Federal Zero Trust Strategy
The White House on Wednesday released its federal zero trust strategy, requiring agencies to meet certain cybersecurity standards and objectives by the end of fiscal year 2024.
The strategy builds upon the executive order signed by President Joe Biden in May 2021 to improve the United States’ cyber defenses. The executive order was signed in response to the SolarWinds, Colonial Pipeline and other significant attacks carried out by foreign threat actors.
When a zero trust model is implemented, no user, system, network or service operating inside or outside the security perimeter is trusted, and every access attempt is verified.
The latest memorandum from the Office of Management and Budget (OMB) requires agencies to achieve certain goals by the end of 2024. These goals focus on identity, devices, networks, applications and workloads, and data — these are the five pillars described by the zero trust model of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
Specifically, agency staff will be required to use enterprise-managed identities to access work applications and use phishing-resistant multi-factor authentication (MFA). Agencies will need to have a complete inventory of devices and visibility into those devices for incident prevention, detection and response.
Government organizations are required to encrypt traffic on their networks and implement network segmentation. As for applications, they will need to be routinely tested and agencies are advised to welcome external vulnerability reports.
Access to sensitive data will need to be monitored and enterprise-wide logging and information sharing systems will need to be implemented.
While agencies have until the end of 2024 to achieve these goals, they are required to update their plans for implementing a zero trust architecture within 60 days, and designate someone to lead zero trust implementation in their organization within 30 days.
“While the order rightfully includes centralized management of identities, it fails to identify the Governance of Privilege and invalid privileged account access, which is the riskiest identity for both the public and private sectors,” commented Raj Dodhiawala, president of privileged access management provider Remediant.
“The executive order also elaborates on Phishing-resistant MFA for protection but not enough on how to reduce the attack surface due to privilege sprawl,” Dodhiawala said. “While Phishing is a primary vector where an attack initiates, we know from the frequency and variety of today’s incidents in both public and private sector enterprises that privilege access security continues to be the weakest element. In fact, it’s the one that is immediately exploited in any successful attack and is the culprit of more than 74% of breaches.”
He added, “The majority of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl — a very large attack surface. Once cyberattackers get a toehold on any system, elevating privileges and moving laterally to find crown jewels become relatively straightforward. OMB’s memorandum also distinguishes between authentication and authorization, but it does not go far enough to establish layered protection, which will prevent attackers from gaining any elevated privileges. This includes protecting admin authorization, and protecting organizations against the discovery of admin credentials, hashes or secrets from inside the network.”
Lucas Budman, CEO of identity solutions provider TruU, commented, “The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.”
Budman added, “It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected.”
Last week, President Biden signed a memorandum focused on boosting the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.