{"id":20661,"date":"2022-01-27T19:25:46","date_gmt":"2022-01-27T19:25:46","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20661"},"modified":"2022-01-27T19:25:46","modified_gmt":"2022-01-27T19:25:46","slug":"white-house-zero-trust-cybersecurity-strategy","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/white-house-zero-trust-cybersecurity-strategy\/","title":{"rendered":"White House Boosts Zero Trust with New Cybersecurity Strategy"},"content":{"rendered":"

The Biden Administration is pushing federal agencies to adopt a zero-trust security architecture<\/a> to protect themselves and their data from \u201cincreasingly sophisticated and persistent threat campaigns,\u201d according to a new strategy issued this week by the Office of Management and Budget (OMB).<\/p>\n

According to the White House order<\/a>, agencies have until the end of the government\u2019s fiscal year 2024 to reach the target goals laid out in the strategy and based on a zero-trust model developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n

The 29-page memorandum from Acting OBM Director Shalanda Young comes less than a year after President Biden issued his executive order<\/a> calling for the improvement of the government\u2019s cybersecurity posture in the wake of a series of attacks that impacted agencies and endangered critical infrastructure, including those on SolarWinds<\/a> and Colonial Pipeline<\/a>.<\/p>\n

An initial draft of the plan was released in September to gather public input, including from the cybersecurity industry.<\/p>\n

\u201cIn the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,\u201d Young wrote. \u201cA transition to a \u2018zero trust\u2019 approach to security provides a defensible architecture for this new environment. … It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.\u201d<\/p>\n

See the Best Zero Trust Security Solutions<\/a><\/p>\n

Zero Trust Gains Momentum<\/strong><\/h2>\n

Zero-trust architecture efforts have gained momentum in an IT environment that is increasingly distributed and mobile, located not only within corporate data centers but increasingly spread among mobile devices, the cloud<\/a> and the edge<\/a>.<\/p>\n

Central to a zero-trust architecture is the premise that anything and anyone trying to access a network or infrastructure cannot be trusted and must be verified, and that they must be continuously verified throughout the transaction \u2013 and given access to no more than the resources they need. Microsegmentation<\/a> has been one of the critical tools used to achieve zero trust, carving networks into small segments to limit risk.<\/p>\n

Zero trust is a fast-growing security technology, with KBY Research analysts predicting the market will grow an average of 18.8 percent a year through 2026, when it will hit $54.6 billion<\/a>.<\/p>\n

Also read: How to Implement Microsegmentation<\/a><\/p>\n

Support for Zero Trust<\/strong><\/h2>\n

The government\u2019s embrace of a zero-trust strategy was applauded by many in the cybersecurity field.<\/p>\n

\u201cZero trust is becoming table stakes for organizations to protect themselves online,\u201d John Engates, field CTO for Cloudflare, a web infrastructure and security company, told eSecurity Planet<\/em>. The “directive from the White House signals that the federal government is taking cybersecurity threats seriously and is adopting a strategy that will better protect the nation\u2019s cyber infrastructure, and by extension, United States national security. Zero trust shouldn\u2019t be seen as just another product or industry buzzword \u2013 it’s a fundamental shift in security philosophy.\u201d<\/p>\n

Zero trust is a fundamental shift in security philosophy<\/strong><\/h1>\n

The FIDO Alliance, an open industry alliance aimed at creating improved authentication technologies that reduce the reliance on passwords<\/a>, also endorsed the government\u2019s zero-trust strategy<\/a>, with alliance Executive Director Andrew Shikiar in a statement zeroing in on the requirement for using phishing-resistant authentication tools to protect against phishing attacks, with some becoming sophisticated enough to get around such even multi-factor authentication (MFA)<\/a> technologies.<\/p>\n

Tim Erlin, vice president of strategy at cybersecurity vendor Tripwire, told eSecurity Planet<\/em> that shifting the entire government to a zero-trust architecture is an important but difficult task. That said, the strategy falls short in a couple of crucial ways.<\/p>\n

\u201cIt\u2019s unfortunate that this memorandum doesn\u2019t provide a clearer role for what NIST identifies as one of the key tenets for zero trust: integrity monitoring,\u201d Erlin said. \u201cDocuments from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn\u2019t include similar treatment.\u201d<\/p>\n

He also said that focusing so much on endpoint detection and response (EDR)<\/a> \u2013 which is evolving into managed detection and response (MDR)<\/a> and extended detection and response (XDR)<\/a> \u2013 may create an over-reliance on a technology that is already morphing into something newer and more comprehensive.<\/p>\n

Verification Over Trust<\/strong><\/h2>\n

According to the OMB memorandum, the goal is to get to a point where employees have enterprise-managed accounts that give them access to the applications and data they need while protecting them from outside threats, where the devices they use are consistently tracked and monitored, and where agency systems are isolated from each other.<\/p>\n

In addition, enterprise applications will be tested internally and externally and made available in a secure manner over the internet.<\/p>\n

\u201cA key tenet of a zero trust architecture is that no network is implicitly considered trusted \u2013 a principle that may be at odds with some agencies\u2019 current approach to securing networks and associated systems,\u201d Young wrote. \u201cAll traffic must be encrypted and authenticated as soon as practicable.\u201d<\/p>\n

The strategy will rely on five complementary pillars outlined in a zero-trust maturity model developed by CISA. The strategic goals include:<\/p>\n