Please see below comments by Industry leaders on White House’s Office of Management and Budget (OMB) Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity.
Please see below comments by Industry leaders on White House’s Office of Management and Budget (OMB) Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>As a key contributor to the NIST NCCOE effort to define Zero Trust Architectures, the Radiant Logic team is pleased to see the Office of Management and Budget’s new federal strategy aimed at moving the U.S. government towards a Zero Trust Architecture.</p>
<p>New security frameworks such as zero trust (as well identity fabrics and cybersecurity mesh) rely on accurate and accessible information about the people, objects, and devices that interact with its network. And it’s the quality, the granularity and the availability of that information that determines the security or vulnerability of the organization.</p>
<p>What’s needed? An identity data fabric that pays off years of IT debt, unifying identity data across all the complexity, all the diversity, all the many incompatibilities of identity information, making it easily consumable in a way that quickly enables secure access decisions—and the progressive disclosure that defines a “zero trust” environment.</p>
<p>A single version of identity truth, one place to go to get everything that’s needed, in exactly the right format every time, so it’s consumed quickly enough deliver exactly what end users need (and are allowed) to see or access exactly what they’re allowed to access.</p>
<p>Organisations need a unified identity data layer that drives everything above it. All the consuming applications, anything that needs a curated view of identity data. And that data must be complete, it must be accurate, and it must be highly available.</p>
<p>If it\’s incomplete, you can\’t make the best decisions. If it\’s inaccurate, you’ll make the wrong decision. Or worse, you\’ll make what you think is a valid decision, but you\’re wrong because your data is wrong. If it\’s not highly available, it will take too long to make decisions—and speed matters. Radiant Logic delivers the unified data—and nothing else works without that data.</p>
<p>The Office of Management and Budget\’s executive order that requires government agencies to outline their response in just two months, is a solid, proactive initiative by the U.S. government, however it falls short in a few critical areas. </p>
<p>While the order rightfully includes centralized management of identities, it fails to identify the Governance of Privilege and invalid privileged account access, which is the riskiest identity for both the public and private sectors. </p>
<p>The executive order also elaborates on Phishing-resistant MFA for protection but not enough on how to reduce the attack surface due to privilege sprawl. While Phishing is a primary vector where an attack initiates, we know from the frequency and variety of today\’s incidents in both public and private sector enterprises that privilege access security continues to be the weakest element. In fact, it\’s the one that is immediately exploited in any successful attack and is the culprit of more than 74% of breaches. </p>
<p>The majority of today\’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl — a very large attack surface. Once cyberattackers get a toehold on any system, elevating privileges and moving laterally to find crown jewels become relatively straightforward. OMB\’s memorandum also distinguishes between authentication and authorization, but it does not go far enough to establish layered protection, which will prevent attackers from gaining any elevated privileges. This includes protecting admin authorization, and protecting organizations against the discovery of admin credentials, hashes or secrets from inside the network. </p>
<p>The surge in cyber incidents such as the Ukrainian website hack and Log4j vulnerability, both of which caused the CISA to release warnings, have become the latest evidence that criminals will search for new opportunities to breach highly-classified information, take down critical infrastructure and much more. Looking ahead, it\’s crucial for the public and private sector to understand these prevalent breach techniques in order to prevent implicit authorization and elevated privileges, which has historically caused the most damage during an attack.</p>
<p>As part of any digital transformation, Zero Trust networks should be a key initiative that focuses on securing resources (data, identities, and services), rather than securing physical networks.</p>
<p>By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the Zero Trust model shifts the focus away from varying types of authentication and access controls.</p>
<p>The Zero Trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyberdefenders. Without one of these, an organization\’s security will be shaky at best.</p>
<p dir=\"ltr\">Securing only endpoints, firewalls, and networks provide little protection against identity and credential-based threats. Users should be authenticated continuously, from the time they try to login to the moment they log out. Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.</p>
<p dir=\"ltr\">It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected. In any case, simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.</p>