Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

White House Publishes Federal Zero Trust Strategy

White House publishes its federal zero trust strategy

White House publishes its federal zero trust strategy

The White House on Wednesday released its federal zero trust strategy, requiring agencies to meet certain cybersecurity standards and objectives by the end of fiscal year 2024.

The strategy builds upon the executive order signed by President Joe Biden in May 2021 to improve the United States’ cyber defenses. The executive order was signed in response to the SolarWinds, Colonial Pipeline and other significant attacks carried out by foreign threat actors.

When a zero trust model is implemented, no user, system, network or service operating inside or outside the security perimeter is trusted, and every access attempt is verified.

The latest memorandum from the Office of Management and Budget (OMB) requires agencies to achieve certain goals by the end of 2024. These goals focus on identity, devices, networks, applications and workloads, and data — these are the five pillars described by the zero trust model of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

Specifically, agency staff will be required to use enterprise-managed identities to access work applications and use phishing-resistant multi-factor authentication (MFA). Agencies will need to have a complete inventory of devices and visibility into those devices for incident prevention, detection and response.

Government organizations are required to encrypt traffic on their networks and implement network segmentation. As for applications, they will need to be routinely tested and agencies are advised to welcome external vulnerability reports.

Access to sensitive data will need to be monitored and enterprise-wide logging and information sharing systems will need to be implemented.

While agencies have until the end of 2024 to achieve these goals, they are required to update their plans for implementing a zero trust architecture within 60 days, and designate someone to lead zero trust implementation in their organization within 30 days.

Advertisement. Scroll to continue reading.

“While the order rightfully includes centralized management of identities, it fails to identify the Governance of Privilege and invalid privileged account access, which is the riskiest identity for both the public and private sectors,” commented Raj Dodhiawala, president of privileged access management provider Remediant.

“The executive order also elaborates on Phishing-resistant MFA for protection but not enough on how to reduce the attack surface due to privilege sprawl,” Dodhiawala said. “While Phishing is a primary vector where an attack initiates, we know from the frequency and variety of today’s incidents in both public and private sector enterprises that privilege access security continues to be the weakest element. In fact, it’s the one that is immediately exploited in any successful attack and is the culprit of more than 74% of breaches.”

He added, “The majority of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl — a very large attack surface. Once cyberattackers get a toehold on any system, elevating privileges and moving laterally to find crown jewels become relatively straightforward. OMB’s memorandum also distinguishes between authentication and authorization, but it does not go far enough to establish layered protection, which will prevent attackers from gaining any elevated privileges. This includes protecting admin authorization, and protecting organizations against the discovery of admin credentials, hashes or secrets from inside the network.”

Lucas Budman, CEO of identity solutions provider TruU, commented, “The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.”

Budman added, “It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected.”

Last week, President Biden signed a memorandum focused on boosting the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.

Related: Biden Extends Executive Order on Cyberattack Sanctions

Related: 3 Key Questions for CISOs on the Wave of Historic Industrial Cybersecurity Legislation

Related: New Executive Order Aims to Protect U.S. Power Grid From Backdoored Equipment

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.