Last week, the Office of Management and Budget (OMB) issued a memorandum that defines a national zero trust architecture strategy and sets forth much-needed deadlines.
Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, reiterates the importance and urgency for the federal government to modernize its approach to security by shifting to zero trust architecture as outlined in last year’s Presidential Executive Order 14028, Executive Order on Improving the Nation’s Cybersecurity.
Since the EO was released, a flood of information has hit agencies looking to shift to zero trust to improve the nation's cyber security posture. Strained frontline defenders have sifted through the advice while supporting existing security operations and processes.
The Memo further codifies the criticality of shifting from legacy network-centric security architectures to zero trust approaches. Key objectives include:
- Eliminate dependence on conventional perimeter-based defenses to protect critical systems and data.
- Provide secure access applications over the public internet without relying on a virtual private network (VPN).
- Encrypt DNS and HTTP traffic using TLS 1.3 for all internal and external connections to include APIs.
- Deemphasize network-level authentication by users and eventually remove it entirely.
While EO 14028 and M-22-09 heavily focus on technical security capabilities, a cultural mindset shift also must happen as agencies ditch the old way of doing business and succeed with zero trust implementations.
Open minds needed
Shifting away from security concepts that we have all been using for decades takes time and resources. Those on the ground who “get it”, and can influence or persuade, need the endurance to wear down the resistance of those who don’t “get it”, or don’t want to change because it’s different or challenging. We will see little progress if agencies do not embrace the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model as an opportunity to finally modernize cyber security capabilities.
The Memo requires agencies to define a zero-trust strategy implementation lead within 30 days for each agency:
"Agencies will have 30 days from the publication of this memorandum to designate and identify a zero trust strategy implementation lead for their organization. OMB will rely on these designated leads for Government-wide coordination and for engagement on planning and implementation efforts within each organization."
While this is essential, an agency's success depends on the effectiveness of the “zero trust strategy implementation lead” and their authority. Someone must be responsible, but that person needs the power to make drastic changes. Who better than the CISO of an agency to take on this assignment? However, most agency CISOs don’t have the necessary authority to succeed. (I described this issue recently in an FCW article, The CISO reporting structure is broken).
CISO authority check-up
The CISO needs an unfiltered communication path to manage and mitigate agency cyber risk effectively. Agency heads have a legislative mandate to maintain and improve the security of their agency's information and information systems. Still, we’ll continue to see slow progress until leaders elevate the CISO's authority.
Cyber leaders must empower professionals to respond faster and more robustly to cyber threats. They need to support agency missions instead of managing boxes. Modern cloud-delivered cyber security solutions help organizations reduce the management strain of existing on-prem security stacks. They can meet the objectives of the cybersecurity EO and Memo while minimizing the user experience challenge most agencies face.
The technology is ready. With the CISO in the driver’s seat to lead collaborative efforts and gain cross-departmental support (including networking, security, applications, and identity), agencies can be on the right road to security transformation. The real challenge is shifting agency leadership mindset and company culture to embrace better cybersecurity and digital transformation. Below are three technical aspects mentioned in the Memo that CISOs can hone in on to evolve their organizational mindset.
Inspecting encrypted traffic
Many agencies I have worked with are reluctant to shift to a modern cloud-delivered security platform because they cannot retain the full packet capture (pcap) of the decrypted traffic.
Full pcap is no longer as important as it once was. Incident responders can instead use metadata derived from traffic flows to effectively identify compromised hosts, then pivot to endpoint capabilities (EDR and forensic platforms) to investigate further. Pcap solutions that capture ALL user traffic are cost-ineffective, inefficient, and rely on legacy network-centric security feeds implemented or hosted in the data center or edge of a network. In other words, full pcap of all user traffic requires backhauling, which creates a user experience issue that we are trying to solve, an issue TIC 3.0 addresses. (Listen to my podcast with Sean Connelly, CISA TIC Program Manager, for more details).
"Network traffic that is not decrypted can and should still be analyzed using visible or logged metadata, machine learning techniques, and other heuristics for detecting anomalous activity. This is consistent with the Trusted Internet Connection (TIC) initiative, as updated in OMB Memorandum M-19-26, which gives agencies the flexibility to maintain appropriate visibility without needing to perform inline traffic decryption."
Analyzing metadata about traffic flows is adequate for agency incident responders and supports CISA’s zero trust strategy. Removing the need for agencies to route traffic back to centralized security stacks to decrypt and store full pcap for visibility also removes one barrier to zero trust that security teams often cite.
DNS has been abused and leveraged by threat actors for as long as I can remember. The first trojan horse I used when I was on the ethical-hacker side of the house in 2004 was based on DNS and depended on agency endpoints to make public DNS requests. Today’s advanced adversaries and threat actors have more sophisticated malware, but the same risk exists on many agencies' networks, even using basic techniques from 2004. Shifting to encrypted DNS protocols and configured endpoints that only use authorized agency DNS resolvers (using Zscaler’s DNS control) can prevent DNS spoofing and MITM attacks in addition to stopping advanced DNS malware, tunneling, and exfiltration attempts.
"Agencies should explicitly configure endpoints to use agency-designated encrypted DNS servers, rather than relying on automatic network discovery."
"This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers."
Leveraging Protective DNS is a win-win in my book. It provides CISA with the visibility and ability to identify and prevent known domains derived from unclassified and classified sources used by threat actors. If all agencies were using Protective DNS, it would enhance CISA’s ability to respond to attacks targeting multiple agencies and prevent further damage.
"To support secure agency DNS traffic, CISA’s Protective DNS offering will support encrypted DNS communication and will scale to accommodate use from agency cloud infrastructure and mobile endpoints."
Safely making applications internet-accessible
When agencies place their security technology at the perimeter of their network, it requires backhauling all traffic through the data center and VPN before accessing applications. In addition, this creates a false dichotomy where traffic that originates outside the perimeter is considered “untrusted”, while traffic inside the perimeter is “trusted”.
Instead, CISA’s zero trust strategy provides new options that inherently do not trust any user, device, or network location. Each identity and device gets assessed before granting access to an application. The approach reduces the attack surface by making applications invisible and accessible only by authorized users.
"Making applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel, is a major shift for many agencies that will take significant effort to achieve. As with all large-scale IT modernization efforts, its chances of long-term success will be improved by beginning with an agile approach."
The path forward
Above are just a few examples of how we must shift away from legacy thinking and abandon network-centric security approaches in favor of modern cloud-based zero trust solutions focused on connecting users to applications. The White House, OMB, and CISA certainly understand this and are providing the necessary resources to help agencies finally make zero trust a reality.
Agencies have less than 60 days to submit an implementation plan to the OMB and CISA, and less than half that to define a lead for “Government-wide coordination and for engagement on planning and implementation efforts within each organization.”
Putting the CISO in the driver's seat could go a long way towards overcoming cultural resistance to change, which is one of the main obstacles standing in between the status quo and modernized cybersecurity that can adequately protect our nation’s assets.
What to read next