The Biden administration is pushing federal agencies to adopt a cybersecurity philosophy that has become increasingly popular in the private sector amid a growing shift toward cloud computing and a surge in cyberattacks: trust nothing.
The White House Office of Management and Budget last week released a draft blueprint for a so-called zero trust approach to fending off hackers. The shift, which President Biden announced in May as part of an executive order to shore up cybersecurity, aims to help spot or contain threats such as the breach of federal systems last year through SolarWinds Corp. Hackers compromised a software update from the firm to break into computer networks of at least nine federal agencies and dozens of U.S. businesses.
Implementing a new array of policies, procedures and tools across federal agencies could take significant investment and years of effort, said Theresa Payton, chief executive of Fortalice Solutions LLC, a cybersecurity consulting firm. She likened the shift to zero trust to a lifestyle change, adding that the administration’s push could help modernize the government’s cyber defenses.
“If it were easy to do, it’d already be done,” said Ms. Payton, who was the White House chief information officer under President George W. Bush. “It’s going to get very expensive, very quick.”
Here are the basics of the zero-trust approach:
What is zero trust?
The approach views any user, device or application as a potential threat, requiring repeated verification of identities and abilities to access data. That contrasts with traditional security frameworks, in which tools or people are trusted once they make it past perimeter defenses often structured around networks tied to physical offices.
Zero trust “is especially important now that we’ve had the pandemic,” said Bret Arsenault, chief information security officer for Microsoft Corp. “You want to have the same consistent experience, whether you’re working from a workplace, whether you’re working from home or anywhere in between.”
The approach can help mitigate hacks through more granular monitoring and segmentation of networks, restricting users from data that is off-limits to them. Mr. Arsenault said that proved key in understanding the threat to Microsoft’s networks from the SolarWinds attack.
“It would have been a different world had we not implemented zero trust,” he said. “We knew where [the compromised software] was. We knew where it was contained. We knew what we had to do in that scenario.”
How can organizations turn the buzzword into reality?
While many aspects of zero trust aren’t new, cyber experts say, combining them into a cohesive whole is more complex. It can require cataloging all the devices across an organization, instituting multifactor or biometric authentication, monitoring connections in real-time, tightening users’ access controls, cordoning off outdated technology and dividing networks into areas that can be isolated in the event of attacks.
Some projects, such as encrypting data, can be relatively easy lifts, said Selim Aissi, former chief information security officer for the mortgage processing firm Ellie Mae Inc. But it may be more costly to replace aging security tools that aren’t designed for a more aggressive approach to partitioning networks or monitoring data.
“If you have a very old firewall technology, good luck with that,” Mr. Aissi said. “That means it’s rip and replace.”
Organizations making such changes must also get worker buy-in, Mr. Aissi said, adding, “Technology and process cannot do everything at the end of the day.”
What is the Biden administration asking federal agencies to do?
OMB’s draft strategy directs federal agencies by fiscal year 2024, which ends Sept. 30, to create an inventory of their devices, encrypt networks and institute an authentication scheme for users to access applications through a single, secure sign-on. The blueprint also calls for officials to treat all applications as internet-connected and to improve how they monitor data across computer networks. Some agencies, such as the Defense Department, have already begun to take such steps.
The Cybersecurity and Infrastructure Security Agency will help agencies make security changes and has published its own guidance on how to move toward zero trust. Still, CISA warned that the effort could require many agencies to rebuild or replace much of their existing information-technology infrastructure.
“The path to zero trust is an incremental process that will take years to implement,” CISA said.
OMB didn’t project what the shift to zero trust would cost. The office instructed agencies to use existing funds for upgrades in fiscal year 2022 and to provide OMB with budget estimates for the following two fiscal years.
What comes next?
OMB is seeking public comments on its proposed zero-trust strategy through Sept. 21. CISA is open to feedback on its guidance until Oct. 1.
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8