The recent increase in high-profile cyberattacks has shown that the federal government can no longer depend on the traditional perimeter-based defenses to defend their networks. Agencies are beginning to realize that they must adapt and adjust their strategies as new malicious tactics and technologies emerge. Earlier this year, President Biden took a step in helping agencies keep up with the ever-changing cyber landscape with his May Executive Order, calling for a revamp in the cybersecurity and Zero Trust process.
Since May, several organizations have followed suit by releasing their own guidelines and publications designed to help advance the effort toward zero trust. In September, the Cybersecurity and Infrastructure Security Agency released its Zero Trust Maturity Model draft guidance, listing “identity” as the first pillar in a successful zero trust model. The National Institute of Standards and Technology also released its zero trust special publication SP-800-207. At the same time, the National Cybersecurity Center of Excellence has started work on a zero trust use case of “building blocks” that provide clear, use-case based examples of how zero trust can be adopted and deployed into agency networks.
Among the continual strive to zero trust, there is one point that all organizations seem to agree on: the crucial concept of identity. These new guidelines show that NIST, OMB and CISA acknowledge that any effective zero trust plan must be built on the foundation of identity. OMB’s Zero Trust Federal Strategy and new 2021-2022 guidance in particular addresses this issue by focusing on consolidating agency identity systems and combating phishing and other credential-based attacks, allowing for an identity-first zero trust framework.
Building an identity-first zero trust architecture
The shift to an identity-based zero trust architecture does not happen overnight; a zero trust framework is a mindset and multi-pronged approach that takes years to implement effectively. OMB’s new Zero Trust Federal Strategy provides agencies with the basis for this mindset through the adoption of three solutions: secure password policies, phishing-resistant multi-factor authentication, and a single sign-on (SSO) service.
SSO and MFA are components of identity-focused solutions under the umbrella of identity access management (IAM). These two solutions, as highlighted in OMB’s federal draft strategy, address the new cyber perimeter by assessing risk in a manner tailored to users’ digital identity and ongoing risk assessment.
For example, an SSO solution shares identity attributes across trusted systems, allowing users connected to an SSO system to log into different devices on that same system without re-entering their credentials. This makes users less vulnerable to phishing and reduces an agency’s attack surface and chances of password reuse by limiting the number of different accounts per digital identity. SSO services should allow for smooth application across existing systems, coming with a network of pre-built integrations that connect all devices and networks from the cloud to the ground. With these capabilities, SSO will enable agencies to secure their programs and services in cloud computing environments and provide the flexible and adaptive network access necessary for identity-based zero trust.
On the other hand, phishing-resistant MFA assesses risk at each step of the authentication process. A comprehensive MFA solution creates dynamic security policies that take into context user account information, such as device, network and IP and is easily implementable across applications, platforms and environments. Additionally, effective MFA meets the basic security and access standards put out by NIST and the Defense Department and complies with industry regulations like FedRAMP, CMMC, and DoD’s SRG for cloud Impact levels. When implemented correctly, an MFA solution secures the network against phishing attacks as envisioned by OMB’s Zero Trust Federal Strategy and provides a continuous assessment of risk that is crucial in any zero trust architecture.
When SSO and MFA solutions are combined, they offer agencies the necessary ease and access to networks without relying on complicated passwords. However, agencies must still consider password protections for a true zero trust framework. Providing an easy-to-use centralized password management system further lowers an agency’s attack surface and allows administrators to apply standards such as general password requirements (length, age, type of password), password reset options, and locking users out of their accounts after a certain number of failed attempts.
With this final piece of the puzzle, agencies have the strong identity-based foundation required for a complete zero trust architecture.
Looking toward the future
Laying out a zero trust foundation is only the beginning of the journey; agencies must also begin building upon that foundation. Password management systems are a solid starting point in the zero trust foundation, but passwords have historically been the driving force behind a whole category of identity-driven attacks. Although it might seem intimidating, going passwordless is one of the most impactful steps agencies can take. Through approaches like Email Magic Links, Factor sequencing, and Webauthn, agencies can begin their journey toward a fully-realized zero trust strategy and the future of cybersecurity.
Once all three solutions outlined by the OMB’s federal draft strategy (SSO, MFA and password management systems) are integrated into an agency’s existing network, their platform will have the security, automation, scalability and integration necessary to secure their networks and implement an identity-centric zero trust foundation in line with the lasting effects of the May EO. However, as the world continues to modernize, future guidance must also begin to consider previously unthinkable ideas – such as going passwordless – to keep up with the changing landscape.