Why the White House zero trust memo is a game changer
Many zero trust advocates are thrilled to learn about the White House memorandum for US government agencies to accelerate the adoption of a Zero Trust security model.
In case you missed it, the Office of Management and Budget (OMB) released a strategy outlining specific measures federal agencies must take before the end of Fiscal Year 2024 to reduce the risk of cyberattacks against government infrastructure.
It comes after a series of high-profile cybersecurity incidents in recent years, including SolarWinds and, more recently, Log4j.
The memo is unlike anything seen before. It’s a good-news story about leadership taking security seriously. If executed as per the mandate, this will bring US Government Agencies to the highest security maturity level in the land. This alone is cause for celebration and, if successful, the plan could be used as a new benchmark for both public and private sector organisations.
In this blog, I’m calling out why I believe the White House Zero Trust memo is a potential game changer.
Zero BS
One of the most promising things about the White House memo is it frankly breaks down the BS and barriers around Zero Trust.
While Zero Trust strategies and communications can become littered with jargon, hype and ambiguity, this memo outlines a specific set of priorities that align with each of the five Zero Trust pillars and calls for stronger identity and access controls, encryption, device monitoring and network segmentation.
And, this is important because a successful approach to Zero Trust requires a myriad of elements and controls.
All too often the focus is on identity, and while this is an extremely important pillar, Zero Trust encompasses so much more than identity alone.
A bold approach
Perhaps the most important takeaway is the recognition from the very top that incremental security improvements won’t cut it anymore in today’s fast-evolving threat landscape.
Specifically, the memo highlights the need for “bold changes and significant investments to defend the vital institutions that underpin the American way of life” (and by corollary institutions outside the US, too).
For as long as I’ve been in the game – and that’s more than two decades – there has been a lot of frustration between security and business leaders trying to communicate effectively and agree on a winning security solution.
Security professionals provide expert advice on the most effective security controls that won’t disrupt business or productivity. However, organisations will too often opt for a ‘best-efforts’ compromise, usually comprising small, often token, security improvements.
The problem with incremental improvements is that they constantly delay other innovative projects. In some cases, it would appear to be more important to give a perception of doing the right thing rather than providing meaningful outcomes.
Not only do half measures fail to provide decent security coverage, but they still cost a fortune and take resources away from revenue-generating activities. Making matters worse, when these half-measures do not deliver tangible results, the security community loses credibility with the business community.
As for the White House memo? There is no ‘best-efforts’ compromise or half measures approach, US Government Agencies have been instructed to shift towards a Zero Trust framework.
The White House memo is a bold example of business leaders, at the highest levels, taking security seriously by listening to the security experts, and accelerating digital transformation through considerable investment and clear strategic directives.
Only the best security
Along with calling out barriers and cutting through BS, the memo does away with some of the riskiest anti-security placebos out there, such as two-factor authentication with SMS.
Two-factor authentication with SMS is a measure that security folk have been calling out for years for its vulnerability to attacks including porting. The problem is many organisations don’t realise how ineffective 2FA with SMS is as a security measure. They might think it provides a bit of value, but they’re not actually looking at the exposure it creates.
It is encouraging to see the push for widespread implementation of stronger enterprise identity and access controls—specifically pointing to multi-factor authentication.
The memo further states, “the Federal Government can no longer depend on conventional perimeter-based defences to protect critical systems and data.”
It also highlights that VPNs are not the solution to providing safe internet access to applications. Instead, the strategy calls for viable monitoring infrastructure, denial of service protections and an enforced access-control policy. Unfortunately, VPNs can cause more harm than good by providing a mechanism for people anywhere in the world to access your network. And, once they’re in, they’re 100 per cent ‘trusted’.
This memo is refreshing in that it specifically calls out security placebos and favours the real security measures that will go a long way in stopping adversaries in the years ahead.
There are many highlights in this memo, but these are my key take-outs.
All in all, this is a first class Zero Trust strategy. A strategy that every organisation that cares about protecting their data, employees and customers should take note of.
It has come right from the very top. It has been endorsed by the US President. But, most importantly, it’s clear it hasn’t been devised by President Biden or his aides making their own call about how agencies should address security. They have listened to expert security researchers and practitioners and signed off on a well-researched and documented best-practice approach.
And, that’s exactly what every government and business should be doing.
It will now be interesting to see whether they put those words into action. If they get this right, it has the potential to accelerate lagging security approaches worldwide. I’ll be watching with interest to see how this is orchestrated across the US government.
Martin McGregor
Why organisations are failing to close the gap on ransomware
Despite ransomware being a prevalent global threat, many businesses fail to have sufficient ransomware protection or the measures to address it effectively.
Jason Fairburn
Removing admin privileges without compromising productivity
Removing local admin privileges is a critical step in achieving cyber resilience. Discover how to effectively implement least privilege.
Martin McGregor
Implementing Essential Eight controls with Devicie
Discover how Devicie assists organisations meet maturity levels 1, 2 and 3 across each of the Essential Eight security controls on end-user devices.