All organizations can learn lessons from the new federal zero trust strategy

The race toward zero trust-driven cybersecurity is on for the U.S. federal government as a recent directive from the U.S. Office of Management and Budget set a deadline at the end of 2024 for all federal agencies to adhere to a new federal zero trust strategy as a way to strengthen cybersecurity in the government.

It's a sweeping architectural framework that many security experts believe could go a long way toward improving federal security postures—as long as agencies can make good on the requirements. The strategy also offers some strong lessons for private sector organizations plotting their own cybersecurity roadmaps.

Why federal leaders view zero trust as the cyber goal

Zero trust has been gaining steam across the cybersecurity community as both a popular buzzword and an abiding principle. Cutting through the vendor marketing hype, the foundation of zero trust lies in the idea that no user, device, or application should be trusted merely for its presence on the network, nor should it get more access to any asset or data resource than needed at any given time. This latter requirement is known as the principle of least privilege.

It's a simple idea that takes considerable technical and cyber policy planning to implement. To bring fully to fruition, zero trust takes strong fundamentals in data classification and asset management, identity management, device controls, network segmentation, and encryption.

Please read: What is zero trust?

These capabilities help enterprises move beyond traditional IT stances on access privileges that tend to "allow all" by default unless otherwise blocked with simple login mechanisms. These typically allow access to vast swaths of assets for extended periods of time with a simple password authorization that has no other contextual risk-based criteria baked in and doesn't verify the trusted nature of an identity after login. Once they have gained access with legitimate credentials, attackers can often access everything.

"The zero trust process is based on a continuous cycle of credentialing, verifying, and authorizing a user's identity," wrote Eric Goldstein, executive assistant director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a blog post on the subject. "This shift is incredibly important in a world where network perimeters are constantly changing with the increased use of remote and cloud services."

CISA has been instrumental in laying the technical groundwork for the OMB's zero trust strategy by developing a Zero Trust Maturity Model for agencies to use as they progress toward the requirements of the strategy. The official release of the strategy in February is the culmination of a collaborative effort of numerous technology experts across the federal government and the private sector that was spurred on by President Biden's Executive Order on Improving the Nation's Cybersecurity. Many within the federal space see the zero trust strategy as the primary path by which the government can achieve the objectives laid out by the order.

"This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyberdefenses," said Christopher Inglis, national cyber director, in a recent statement. "We are not waiting to respond to the next cyber breach. Rather, this administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society." 

What enterprises can learn from the directive

The federal government's take on zero trust architecture is just one in a progression of different industry frameworks that have been released in the past few years around these principles. Aligned with CISA's maturity model—which is in turn guided by NIST Special Publication 800-207, a zero trust architecture standard published in 2020—the federal strategy is designed around five major security control pillars: identity, devices, networks, applications and workloads, and data.

Ultimately, the requirements set out by the strategy around these pillars are good cybersecurity best practice aspirations for any organization, whether public or private sector. The highlights include:

Identity

• Centralize identity management and integrate it across apps and common platforms
• Use phishing-resistant multifactor authentication

Devices

• Build reliable asset inventories
• Use effective endpoint detection and response technology

Networks

• Effectively segment the network
• Enforce HTTPS encryption for all web and API traffic

Applications and workloads

• Move to immutable workloads, wherein software components are replaced instead of changed
• Build a dedicated application security testing program

Data

• Effectively categorize data through automation and tagging
• Implement comprehensive logging and information sharing

"It's a good, practical implementation of the overarching guidance from 800-207," says Chase Cunningham, chief strategy officer at Ericom Software. Cunningham authored the Zero Trust eXtended Framework (ZTX) when he was an analyst at Forrester Research in 2017. "I think everyone else should look at it and say, 'OK, big government has this directive with these requirements. When we implement zero trust, let's take the things we need and make it work for us.'" 

How the federal vision of zero trust diverges from industry

According to Cunningham, while the powers that be generally did a good job folding industry best practices into the strategy, he sees a couple of key omissions in the federal vision of zero trust architecture.

Please read: DevSecOps: What it is and where it's going

"I think they did a good job of taking the ZTX framework and focusing on five key pillars for them. However, I think that they may have ignored the fact that we created visibility and analytics, as well as automation capabilities, as other pillars as well," he says. "What good are some of those capabilities if you don't have the telemetry to trigger an automated action? I hope they flesh out those two pillars sooner or later."

This slimmed-down profile may just be a difference in opinion of organizational structure rather than a straight omission, as the strategy does mention that visibility and analytics, automation and orchestration, and governance are three themes that cut across all five of the strategy's pillars.

Interestingly, the federal strategy adds certain requirements that are not necessarily traditionally viewed as zero trust core components but are seen as best practices for a strong overall cybersecurity program. For example, under the application pillar, the OMB requires agencies to run an "effective and welcoming public vulnerability disclosure program for internet-accessible systems," so outside security researchers can more easily submit information when they discover bugs in government systems.

Another place where the federal strategy goes beyond the bounds of zero trust is with regard to application and workload encryption mandates, says Sunil James, vice president of product and engineering at Hewlett Packard Enterprise.

"The strategy seems to contemplate encrypting application and workload traffic and data. This is obviously important but not necessarily a core zero trust principle," James says, noting that this may drive agencies toward adopting more dynamic certificate infrastructure.

"I see very few enterprises encrypting application and workload traffic and data because doing so is complicated and fraught with operational danger. Those that do often leverage static certificates stored in an internal certificate authority. Rarely do they rotate these crown jewels. It's just kind of built, tucked away, and then used repeatedly, with many enterprises hoping they never have to be touched again."

Please read: Trust never sleeps: Why hardware roots of trust are essential for security

Agencies and any private sector organizations that want to use the strategy to guide their efforts will likely need to consider re-basing their application and workload encryption strategies upon dynamic cryptographic identities, such as those contemplated by the Secure Production Identity Framework for Everyone and the related SPIFFE Runtime Environment (SPIRE), both of which are part of the Cloud Native Computing Foundation.

While not necessarily a zero trust fundamental, this requirement supports the government's emphasis of moving to immutable infrastructure, which is also detailed in the strategy.

"Unlike hired human employees, which are relatively small in numbers, manually verified, and stay for years, software 'employees' like containers and VMs are sprawling, volatile, and can stay for just minutes," James says. "So you hire it, you onboard it, it does its work for five minutes, then you fire it."

While the timeline is aggressive—stipulating a full rollout by the end of 2024—experts like James believe that it is worth the effort to get all agencies to move toward continuous improvement of federal cybersecurity postures. Says James, "It's a big deal, and while rollout will be challenging, I think it will materially better our nation's overall cybersecurity posture."