OMB Zero Trust Strategy: Guiding Principles
The Biden Administration released its "Executive Order on Improving the Nation’s Cybersecurity” on May 12, 2021. This January 26th, the Office of Management and Budget (OMB) issued its Federal Zero Trust Architecture (ZTA) strategy, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," as follow up. Despite its focus on government departments and agencies, the OMB’s strategy is a must read for anyone interested in Zero Trust:
- It will undoubtedly lead to requirements beyond government agencies, for critical infrastructure, enterprises and government contractors, for example -- and these, in turn, will influence how many approach cybersecurity.
- As cybersecurity vendors address them, government requirements will inform future tool offerings and strategies.
- The OMB strategy is specific and bold. Earlier Zero Trust recommendations have often been high-level or focused on existing Best Practices such as: using enterprise-wide identity to access applications, implementing phishing-resistant MFA, and keeping a complete device inventory. While of course it could go further, the OMB's Jan 26th document refreshingly breaks with these approaches.
- This is not just our opinion. Forrester Research characterized the OMB's Zero Trust strategy as "Government gets good" and "Zero Trust advocates should be jumping for joy over the federal government's understanding of modern Zero Trust and how it is operationalized."
How did the OMB get "good"? What is bold, new, and interesting? And what might it all say about the types of tools and approaches we will be using in the future to secure our systems? We are going to address our thoughts about these questions in a short blog series, beginning here:
Gradient OMB Zero Trust Strategy Blog Series
OMB Zero Trust Strategy, Part I: Guiding Principles – what drove the OMB to get "good"?
OMB Zero Trust Strategy, Part II: 7 Key Recommendations - what are some of the most interesting, and surprising, recommendations made by the OMB?
OMB Zero Trust Strategy, Part III: Implications - what might the OMB's strategy imply about the types of tools and approaches we will use now and in the future to secure our systems?
OMB Zero Trust Strategy, Part 1: Guiding Principles
Forrester Research’s analysis concluded that the OMB’s Zero Trust strategy would result, if executed, in government agencies that not only meet "the security maturity levels of large organizations in the private sector...., they'll also surpass them." How did the OMB's process result in a Zero Trust Strategy that will “surpass” the security maturity levels of large, private organizations?
The answer to that may lie in the principles outlined in the introduction to their Executive Summary. Noting that the current threat environment means that perimeter-defenses can no longer be depended upon, the OMB first highlights the call to action outlined in Biden's EO 14028: “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
The OMB then references taking a Zero Trust approach as described in the Department of Defense Zero Trust Reference Architecture (I have included all the DoD’s definition though only the three sentences highlighted below are incorporated in the OMB’s Executive Summary):
Per the DoD’s definition, a Zero Trust approach includes the following three elements:
- "No actor, system, network, or service operating outside or within the security perimeter is trusted"
This is fundamental and common to other definitions of Zero Trust: Trust Nothing!
- "Verify anything and everything attempting to establish access"
If you "trust nothing", then you must verify everything. But what can we verify and where does the OMB go here? And where should tools go from here? (Note that conventional Zero Trust approaches do not prove device identity, full platform integrity, or connected system trustworthiness. So, solutions currently in wide use cannot effectively address the credential compromises and firmware vulnerabilities exploited by ransomware and malware.)
- "Dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction"
This last part appears the most consequential. A Zero Trust approach involves a “dramatic paradigm shift” that includes the "continual verification" of users, devices, applications, and transactions.
How seriously does the OMB take these calls for bold, dramatic action? That will be the subject of Part II, where we will look at the OMB's most interesting, and surprising, recommendations. And we will look at what the OMB's strategy might imply about future cybersecurity tools and approaches in Part III.