The Office of Management and Budget’s (OMB) finalized zero trust directive issued last week sets the stage for the first steps in implementing zero trust security architectures at Federal agencies, but a lot more work remains in the pursuit of that goal, a panel of Federal security experts agreed during an ATARC virtual event on Feb. 1.
OMB memorandum 22-09 sets forth a Federal zero trust architecture strategy requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024, driven by the need to reinforce the government’s defenses against increasingly sophisticated and persistent threats. Specifically, the memorandum provides firm direction for agencies on implementing identity-driven security measures such as multi-factor authorization to protect personnel from sophisticated online attacks.
“The directive is great. It’s a much-needed bold move in the right direction with a clear focus on identity security,” said Robert Wood, chief information security officer and director for the Information Security and Privacy Group at the U.S. Department of Health and Human Services.
However, panelists emphasized that while the OMB memo represents a much-needed push for migrating towards a zero trust architecture, it is not an end goal.
“[The] latest memo from OMB provides steppingstones for agencies to move to a zero trust architecture, but it certainly is not the end-all be-all,” said Trafenia Salzman, a security architect at the U.S. Small Business Administration (SBA).
Implementing a long-lasting zero trust framework requires a complete paradigm shift where security moving forward is not just fundamental, but at the forefront of strategy.
“Zero trust is not just some tool agencies can buy and implement as an afterthought. And while the OMB is a great first start, moving forward, we need to change the way we approach security,” said Sanjay Gupta, the chief technology officer at SBA.
Periodically, agencies may choose to focus on usability, and allow security to take a back seat – thus increasing an agency’s attack surface and cyber risk. Therefore, security should always be fundamental, panelists agreed, while acknowledging that implementing a zero trust architecture will be difficult regardless of the directives provided.
They also talked about calibrating network access privileges, and ensuring that elevated access is only given when contextual parameters are met, and is immediately revoked after the activity is performed or the context has changed.
“We need to find a clear balance between identity and use cases for a zero trust architecture to function properly,” said Wood.