Time is running out for federal agencies to implement zero trust architectures in accordance with Office of Management and Budget’s FY 2024 deadline. Federal cyber leaders highlighted identity management as a foundational component of zero trust and a necessary first step in zero trust architecture at ATARC's Accelerating Zero Trust Implementations with Network Visibility webinar Thursday.
If you don’t know who’s on the other end of line, you can’t possibly implement any of the other principles of zero trust, said Dan Chandler, Information Systems Security Officer with the Budget Systems Branch at the OMB, Executive Office of the President.
Chandler said the level of assurance associated with an identity is vital.
“In the federal government we’re fortunate to have access to a really strong two-factor identity solution and so leveraging those for your identity management and authentication is a really a strong first step that to makes it a lot easier to implement future components of a zero trust architecture,” Chandler said during the ATARC webinar.
Organizations should also designate a single source of truth for identity and access management to prepare for zero trust architecture.
“Rather than having lots of individual systems that have their own group structures or their own interface for managing permissions you really want to have a single tool that’s part of your identity management solution that lets you identify who a person is and what roles that person has," Chandler said. "Then in the individual systems all they have to do is implement access controls and security controls based on the roles a person has.”
Brian Hermann, Cyber Security and Analytics Director at the Defense Information Systems Agency (DISA), said DOD is making progress in achieving zero trust architecture with DISA’s Thunderdome prototype, which will inform the future of DOD cybersecurity.
“We’re implementing secure access service access edge (SASE) as a mechanism for us to understand and consolidate information about the user from the ICAM, from the device,” Hermann said during the webinar. “We're going to eliminate some of the virtual private networking access to applications and pair that up with application security stacks to limit the east-west kind of movement across the network.”
Chandler said one of the things organizations miss when implementing zero trust is allowing IT systems to be dynamic and incorporate all relevant data to determine whether a user should access to a resource.
“We’re working on architecting a system that creates a trust score for a particular session and then matches that up with a trust requirement on a function or feature so that we have a dynamic change and the level of trust we have for a particular session and then we can guide that user,” Chandler said. “Let’s say your trust score isn’t high, you can reauthenticate to raise your score enough for you to be able to do what you need to and doing that dynamically forces you to build up a lot of other best practices.”
Hermann said he didn’t like the term zero trust because he considers the zero trust approach a journey rather than a destination. Zero trust is primarily about determine trust levels and progressively reducing or increasing trust based on different user profiles and scenarios.
“It’s trust that is based on information and policies, not just blanket trust which is where many of us were when we started,” Hermann said. “What is the first step we take to make that move toward zero trust and just continue to evolve in an agile fashion? That’s what we really have to do.”