Spotlight on: U.S. Government’s move towards Zero Trust Cybersecurity
In line with last May’s Executive Order 14028 “Improving the Nation’s Cybersecurity”, the White House stepped up its efforts last week with the announcement requiring all Federal agencies to adopt a ‘Zero Trust Architecture’ (ZTA) strategy by the end of fiscal year 2024 to improve defenses against “increasingly sophisticated and persistent threat campaigns”.
The memorandum (M-22-09) along with the UK’s Government Cyber Security Strategy for the public sector also announced last week, demonstrate an increasing focus on governments getting their own house in order.
We asked NCC Group Senior Vice President in North America, John Rostern for thoughts on the strategy, whether it goes far enough and how easy it will be for agencies to comply.
What is Zero Trust?
As described in the draft Office of Management and Budget (OMB) paper, the Zero Trust model is based on the principle that organizations, or in this case, US Government agencies, should operate on the premise that no system, application, or user is presumed to be trustworthy. Everything and everyone accessing the information systems of these agencies must be verified regardless of physical or network location.
The days of a strong perimeter defense, with little or no internal controls (the ‘igloo’ theory; hard and crunchy on the outside, but soft and chewy on the inside) has long passed in an era of advanced persistent threats and sophisticated threat actors that include Nation States.
This strategy aligns well with the concept of ‘defense in depth’ that is widely adopted in the commercial space.
What’s the history?
The underlying premise of ‘presumed compromise’ is not new to the US Government. Systems operating at higher classification levels, such as those supporting the defense and intelligence communities, have long operated from this perspective.
As the cyber threat environment evolved through the 90’s and early 2000’s these agencies adapted their systems into what has come to be known as a zero-trust model. The National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-207 in August of 2020 which describes zero trust principles for application in unclassified systems which makes it broadly applicable to the zero-trust architecture strategy published last week.
The memorandum from the White House references the Department of Defense Zero Trust Reference Architecture in the describing the Zero Trust Model that is at the heart of this strategy.
Are hardware-based authentication tokens the answer?
The use of hardware tokens to support Multi Factor Authentication (MFA) is a valid response to known, and exploited, vulnerabilities in systems using SMS based notifications. Using Time-based One-Time Passwords (TOTP) in an MFA scheme is proven to significantly improve security compared to systems relying only on username and password combinations (single factor).
There are many ways to implement the use of TOTP including both hard and soft tokens. Unlike non-governmental organizations it is difficult for government agencies to leverage personal mobile devices to support equally (or more) effective soft token alternatives such as Google Authenticator or Cisco Duo.
However, the deployment of hardware tokens brings with it logistical challenges in issuing, managing and ultimately retrieving the tokens.
How easy or difficult will it be for agencies to comply, in your opinion?
Potential challenges that these agencies will face will include the ability of ‘legacy’ systems to support the introduction of the identify and access management controls, such as MFA, needed to support this strategy.
The result could be delays in implementation or worse the layering of controls around these legacy systems that will introduce additional complexity.
Experience tells us that greater complexity typically results in a less secure system.
What needs to happen next?
The strategy described in M-22-09 is a positive step in improving the overall state of cybersecurity for U.S. Governmental agencies. Combined with future initiatives supporting the objectives set forth in EO-14028, the zero-trust model will play a critical role in the evolved cybersecurity strategy for the U.S. Government.
It will not however stand on its own, and Federal agencies must deploy other elements to support their ability to assess threats and risks, identify and protect critical assets, respond, and recover from incidents.