White House urges US government to adopt zero-trust security model

news

A new federal cybersecurity strategy has been released, requesting that the U.S. government adopt a “zero trust” security model within the next two years to improve cybersecurity defenses across federal agencies.

https://www.whitehouse.gov/omb/briefing-room/2021/09/07/office-of-management-and-budget-releases-draft-federal-strategy-for-moving-the-u-s-government-towards-a-zero-trust-architecture/

This strategy was released by the White House Office of Management and Budget (OMB), which oversees the implementation of the President’s vision across the executive branch of the United States.

This Executive Order launched a government-wide effort to transition to zero trust and modernize the nation’s defenses against cyber attacks.

This memorandum sets forth the federal government’s Zero Trust Architecture (ZTA) strategy, which requires agencies to achieve specific cybersecurity standards and goals by the end of fiscal year 2024 to strengthen the government’s defenses against increasingly sophisticated and persistent threat campaigns.

These attacks are targeting the federal government’s technology infrastructure, threatening public safety and privacy, damaging the U.S. economy, and undermining trust in government

Key elements of the new zero-trust strategy include:

  • Improving phishing protection with strong multi-factor authentication
  • Integrating institutional identity systems
  • Encrypting traffic and treating internal networks as untrusted areas
  • Strengthening application security to protect data

and more.

OMB’s new federal zero-trust strategy envisions a federal government that

  • Federal employees have company-controlled accounts that give them access to everything they need to do their jobs, while ensuring they are protected from sophisticated, targeted phishing attacks.
  • The devices that federal employees use to do their jobs are consistently tracked and monitored, and the security posture of these devices is taken into account when granting access to internal resources.
  • Federal systems are isolated from each other, and network traffic flowing between and within systems is reliably encrypted.
  • Enterprise applications are tested both internally and externally, and are provided to employees securely over the Internet.
  • The federal security and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information

The government’s move to zero-trust security principles is the result of cybersecurity companies promoting the zero-trust network model for years.

This continued promotion of the latest security principles led to the NSA and Microsoft recommending this security approach for large enterprises and critical networks (National Security Systems, DoD, Defense Industrial Base) in February 2021.

Zero-trust is a security approach in which the defender assumes that the intruder already has access to the network, so local devices and connections are never trusted and need to be verified at every step.

This security model was invented by John Kindervaag of Forrester Research in 2010, and Google implemented some of its concepts in an internal project (now called BeyondCorp) in 2009 after some of its intellectual property was stolen in Operation Aurora.

In the face of increasingly sophisticated cyber threats, the government is taking decisive action to strengthen the federal government’s cyber defenses.

This zero-trust strategy will ensure that the federal government leads by example, and marks another important milestone in our efforts to repel attacks from those who seek to harm the United States

Comments

タイトルとURLをコピーしました