The Office of Management and Budget (OMB) released an implementation strategy for a Zero Trust Architecture (ZTA). They have submitted a Federal Zero Trust Strategy paper, that outlines that
The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.
It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure, networks, and data, from verification once at the perimeter to continual verification of each user, device, application, and transaction.” as described in the Department of Defense Zero Trust Reference Architecture
OMB requires that agencies achieve specific Zero Trust security goals by the end of the fiscal year in 2024. The strategic goals outlined in the memorandum also align with CISA’s five pillars. These are as follows:
Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects personnel from sophisticated online attacks.
With the Whitehouse Executive Order 14028, agencies are required to develop their plans for implementing Zero Trust and build upon those plans.
Agencies should implement enterprise-wide identity systems and access controls. Implementing such systems and controls give a holistic view of users and an ability to verify the IDs of users when they attempt to access systems. It is extremely important and should be used in combination with multifactor authentication.
MFA should be integrated at the application layer and used in conjunction with the identity system rather than through network authentication. Doing this ensures that no actor, system, network, or service is trusted within the enterprise.
MFA will also protect against common methods of gaining unauthorized access and phishing attacks. The Personal Identity Verification (PIV) standard or the World Wide Web Consortium (W3C)’s open “Web Authentication” standard are effective approaches. Agencies should use PIV, as it is the simplest way to meet OMB Memorandum M-19-17 phishing-resistant MFA requirements.
In addition, agencies should ensure their tools can execute certain protocols for authorization, and it is the process of granting authorized entities access to resources. Zero Trust should implement more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.
The Federal Government has a complete inventory of every device it operates and authorizes for Government use and can prevent, detect, and respond to incidents on those devices.
For Devices, the agencies need to maintain a complete inventory of every device authorized and operated for official business and can prevent, detect, and respond to incidents on those devices.
Enterprise-wide Zero Trust architecture needs a full understanding of devices, users, and systems interacting within an organization. CISA runs the Continuous Diagnostics and Mitigation program (CDM), which aims to help enterprises achieve awareness of their assets across their enterprise.
As EO 14028 states, Federal civilian agencies must have formalized their participation in CDM via a memorandum of agreement with DHS. Agencies must create complete, ongoing, reliable, and complete asset inventories. Creating asset inventories is especially necessary for a cloud environment, as a granular and dynamic approach for access control is the end goal.
The EO 14028 also heavily emphasizes the importance of endpoint detection and response, which includes proactive detection of cybersecurity incidents and the need for capabilities during incident response. For more information on this point, look into Memorandum M-22-01, which discusses EDR (endpoint detection and response).
Agencies must ensure that their Endpoint Detection and Response (EDR) tools meet CISA’s technical requirements and are deployed across the enterprise. These agencies should also make information gathered from their EDR tools available to CISA.
Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
For Networks, agencies must encrypt all DNS and HTTP traffic within their environment and begin breaking down their perimeters into isolated environments to effectively utilize the granular and dynamic form of access control to be implemented.
As agencies broadly encrypt traffic, it is critical to balance the depth of their network monitoring against the risks of weak or compromised network inspection devices. Inspecting and analyzing logged network traffic is a tenet of Zero Trust Architecture.
At the same time, a core concept of Zero Trust is that anything can become compromised, including monitoring tools. CISA and others have found that incorrect implementation of encryption protocols can lead to security vulnerabilities.
Agencies need to avoid relying on static cryptographic keys with overly broad enterprise-wide decryption ability, as any compromise on this key would compromise the entire enterprise’s encryption. Instead, Agencies need to use standard encryption protocols, such as TLS 1.3, that are designed to resist bulk decryption.
In practice, using NIST SP 800-207 as a reference, there are places where traffic should not or cannot be deeply inspected, such as those used by staff in day-to-day work. As agencies move away from intranets and implement segmentation, inspecting traffic in these day-to-day environments becomes less practical and less valuable in correlation with the segmentation.
In other network segments, deep traffic inspection may be more valuable in reducing the attack surface. For example, deep traffic inspection of applications that guard sensitive data and have a small number of expected clients would be more appropriate. A core tenet of Zero Trust is that visibility and privileges are the least necessary to do their jobs.
Any network traffic that is not decrypted should still be analyzed using heuristics to detect anomalous activity that is consistent with Trusted Internet Connection (TIC) initiative, as stated in OMB Memorandum M-19-26. For DNS, agencies should configure endpoints to use agency-designated encrypted DNS servers.
By FY24, agencies should provide plans to update or otherwise ensure support for encrypted DNS enterprise-wide FY24. For HTTP, OMB memorandum M-15-13 and DHS Binding Operational Directive (BOD) 18-01, all agencies are required to use HTTPS, the encrypted version of HTTP, for all accessible web services and APIs.
Internal traffic is not, however, required to use HTTPS. It has been updated, and all HTTP traffic within their environments now must use HTTPS. HTTPS is now required for all traffic, externally facing or internally.
The goal of Zero Trust is to enhance identity governance, logical micro-segmentation, and network-based segmentation, and it is all aimed at the same common objective; Zero Trust systems must meaningfully isolate environments such that adversaries cannot compromise one component that lets them move laterally within an organization and compromise other distinct environments.
Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
For Applications and Workloads, agencies should treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
Federal applications must withstand sophisticated probing and attack, and agencies should create Security Assessment Report (SAR) to authorize their information systems. These SARs should incorporate not just information gathered by automated tools but also analysis using more time-intensive, specialized, and application-specific methods.
In addition to their testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify. CISA and GSA are creating procurement structures to acquire application security testing capabilities rapidly.
CISA has also released a vulnerability disclosure platform that agencies may use to receive and triage vulnerable reports and engage directly with security researchers. Making applications internet accessible safely without relying on VPNs is a major shift that will require significant effort.
Agencies are on a clear, shared path to deploy protections that use thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.
For Data, Agencies are on a clear, shared path to deploy protections that use thorough data categorization. As cloud environments have become more pervasive throughout the years, automating security responses on the cloud has become more important. Security monitoring and enforcement have become a necessity.
This is often referred to as Security Orchestration, Automation, and Response (SOAR). Agencies should strive to employ heuristics rooted in machine learning to categorize the data they gather and deploy processes that warn or detect abnormal behavior in real time.
The EO 14028 directs agencies to use encryption to protect data at rest but does not protect against compromised systems that can decrypt that data. Cloud-based infrastructure providers offer various services to detect that activity through cloud-managed encryption with their logs.