The Office of Management and Budget (OMB) is working to develop a system that generates trust scores before allowing access to its network or applications, according to the chief information security officer (CISO) of the agency’s Management and Operations Division.
The intent of the ongoing work, according to Dan Chandler, OMB’s Management and Operations Division CISO, is to use all the network information at OMB’s disposal to alert a user in real time when their trust score isn’t high enough, instead of simply rejecting their request.
“In the Federal government we’re fortunate to have access to a really strong two-factor identity solution and so leveraging those for your identity management and authentication is a strong first step that to makes it a lot easier to implement future components of a zero trust architecture,” Chandler said during an ATARC webinar on July 7.
However, funding and expertise for systems like the one OMB envisions remain scarce. But if implemented, OMB’s system would compare a session’s trust score to the trust requirement on a function of the feature.
“We’re working on architecting a system that creates a trust score for a particular session and then matches that up with a trust requirement on a function or feature so that we have a dynamic change and the level of trust we have for a particular session and then we can guide that user,” Chandler said. “Let’s say your trust score isn’t high, you can reauthenticate to raise your score enough for you to be able to do what you need to, and doing that dynamically forces you to build up a lot of other best practices.”
Chandler also highlighted that organizations should designate a single source of truth for identity and access management to prepare for zero trust architecture.
“Rather than having lots of individual systems that have their group structures or their interface for managing permissions, you want to have a single tool that’s part of your identity management solution that lets you identify who a person is and what roles that person has,” Chandler said. “Then in the individual systems, all they have to do is implement access controls and security controls based on the roles a person has.”
Other Federal agencies have also started to develop ideas to build identity into zero trust as they work to implement zero trust architectures under OMB’s FY 2024 deadline.
Specifically, the Department of Commerce (DOC) is also interested in evaluating the trust of users and devices, but according to Lawrence Anderson, deputy chief information officer at DoC, “network evidence isn’t feeding into and informing its zero-trust architecture yet.”
Anderson explained that funding for the agency to get to that stage “just simply hasn’t come through. But at some point, we’re going to need some advanced tools to get to that advanced level of zero trust that we want to get to.”
Brian Hermann, Cyber Security and Analytics Director at the Defense Information Systems Agency (DISA), said the Defense Department (DoD) is making progress in achieving zero trust architecture with DISA’s Thunderdome prototype – possibly informing the future of DoD cybersecurity.
The DoD is implementing a secure access service access edge as a mechanism for the department to understand and consolidate information about the user from the identity, credential, and access management from the device.
“We’re going to eliminate some of the virtual private networking access to applications and pair that up with application security stacks to limit the east-west kind of movement across the network,” Herman said.