The federal government is making concrete steps to implement zero trust across major agencies following last year’s cybersecurity executive order.
Speaking at the GovCIO Media & Research Cyberscape: ID forum, OMB Senior Advisor on Technology and Cybersecurity to the Federal CIO Eric Mill outlined the steps agencies have taken to protect against an evolving threat environment.
At its core, zero trust involves moving beyond a network perimeter-based approach to data protection and implementing a greater focus on user credentialism and authentication to either stop or diminish the reach severity of unwanted access.
Mill noted this requires anticipating that some form of network breach is potentially inevitable, and designing your approach to security around staunching the harm from malicious actors.
“What we lay out in the strategy is taking seriously this concept of least privilege, of untrusted networks, and of just fundamentally assuming compromise at some level. Assuming that pieces of your organization, your network, your devices, your applications, any piece of them could be compromised and designing your enterprise architecture to expect that,” Mill said.
While the executive order emphasizes these kind of baseline standards, it has also left considerable room for agencies to build their own cybersecurity strategy that reflects their own IT systems and access concerns.
“We do have a number of mandatory requirements in this ... but it leaves a lot of flexibility within that as agencies undergo enterprise architecture reform to decide how they're going to meet some of those things, and ultimately how they're going to structure their enterprise,” Mill said.
Mill outlined that the executive order, and the federal government’s subsequent move towards embracing zero trust, was based on a response to recent large-scale network breaches that revealed the flaws of America’s public sector cybersecurity.
“A number of the things that led to this were in the news pretty widely. The cybersecurity Executive Order followed in short order from the Colonial Pipeline attack, and before that, the SolarWinds attack,” Mill said.
The core lesson of these attacks for policymakers and agency technologists is that not all breaches can be predicted or fully stopped against, and that instating forms of security beyond the network periphery will block malicious actors from using this unwanted access to push into adjacent networks as occurred during the Solar Winds incident.
“We won't predict all of these attacks in advance. What it means to protect from an advanced supply chain attack as we saw with SolarWinds involves protecting one of your network boxes from being popped and then using that to rummage around other things that are inside your organization.” Mill said.
Agencies have instead moved towards an identity-based approach to cybersecurity, particularly as a means of limiting the harm of network breach.
“The identity pillar is the first pillar in our strategy. It's sort of the first among equals because it is the foundation of much of what you can do. Some people describe zero trust as moving your new boundary to identity instead of your network router or your perimeter,” Mill said.
Going forward, Mill recommended federal agencies examine other potential vulnerabilities – including noting the potential access points in applications that are used across disparate organizations.
“Analyzing application vulnerabilities is going to be very critical for authentication systems, and I think is probably one of the places where folks are going to focus the most effort,” Mill said.