Government Pursues ‘Zero Trust’ Approach to Cybersecurity

The “zero trust” policy envisioned by President Biden in May when he signed an executive order to improve cybersecurity has begun taking shape with the release last week of a draft blueprint by the White House Office of Management and Budget (OMB). While Biden’s order covers the public and private sectors “and ultimately the American people’s security and privacy,” zero trust focuses on identifying and implementing best practices for the federal government’s digital platforms and processes. Deployment will take years of investment and effort. To help jump-start the initiative, some primers have hit the news feeds.

Zero trust intends to eliminate problems like last year’s SolarWinds hack, which resulted in malicious code embedded in updates to the firm’s Orion networking software. An estimated 18,000 Orion customers — including nine federal agencies and dozens of enterprise businesses — were exposed. Essentially, zero trust shifts how organizations view networked infrastructure and security.

“Key areas of OMB’s zero trust strategy include consolidating agency identity systems, combatting phishing through strong multifactor authentication, treating internal networks as untrusted and encrypting traffic, moving protections closer to data by strengthening application security,” the White House press release explains.

“Under the old model, all the computers, servers, and other devices physically in an office building were on the same network and trusted each other,” reports Wired. “Your work computer could connect to the printer on your floor, or find team documents on a shared server.”

Things like “firewalls” and antivirus programs were set up to keep uninvited “guests” outside, while inside activities recognized as “usual” would not attract serious scrutiny. But “the explosion of mobile devices, cloud services, and remote work have radically challenged those assumptions,” Wired warns.

According to The Wall Street Journal, the zero trust approach involves viewingany user, device or application” as a potential threat. Multiple verifications will be utilized.

Expect more granular monitoring of networks, as well as segregation of data — available not to all, but on an as-needed basis. None of that’s new, but integrating it into an overall strategy that can scale and adapt to changing needs is complex. Multifactor and biometric authentication are likely to become more common, WSJ explains, as will real-time monitoring.

While things like data encryption may be an easy fix, replacing older hardware that just isn’t up to the massive processing demanded by zero trust is sure to be costly. For instance, new firewall technology — which can be hardware or software or a combination of the two — will require significant power and speed.

The draft framework also requires government agencies to “treat all applications as Internet-connected and to improve how they monitor data across computer networks,” WSJ reports, noting the Department of Defense, among other agencies, have already begun doing that.

The OMB’s draft plan instructs federal agencies to create a device inventory, as well as implement a reliable user authentication scheme and full network encryption by fiscal year 2024, which for the government ends September 30.