Author: Martin McGregor, Co-founder and CEO, Devicie
Many zero trust advocates, myself included, have been thrilled to learn about the White House memorandum for US government agencies to accelerate adoption of a zero trust security model.
In case you missed it, the Office of Management and Budget (OMB) released a strategy outlining specific measures that federal agencies must take before the end of Fiscal Year 2024 to reduce the risk of successful cyber attacks.
It comes after a series of high-profile cybersecurity incidents in recent years, including SolarWinds and, more recently, Log4j.
The memo is unlike anything I’ve seen before. It’s a good-news story about leadership taking security seriously. If executed as per the mandate, this will bring US government agencies to the highest security maturity level in the land. This alone is cause for celebration and, if successful, the plan could be used as a new benchmark for both public and private sector organisations.
In this blog I’m calling out why I believe the White House Zero Trust memo is a potential game changer. If you’re across the memo and have your own take, be sure to drop us a note. We’d love to hear your thoughts.
One of the most exciting things about this memo is that it truly breaks down the BS and barriers around zero trust. Unlike much of the zero trust hype and ambiguity, it outlines a specific set of priorities that line up with each of the five zero trust pillars, with calls for stronger identity and access control, encryption, device monitoring and network segmentation.
This is a really important point, because there are a lot of things that frequently get missed with zero trust. Too often the focus is on identity, and while this is an extremely important pillar, zero trust is about so much more than identity alone.
A bold approach
Perhaps the most important take-away is the recognition from the very top that incremental security improvements won’t cut it anymore in today’s fast evolving threat landscape.
Specifically, the memo highlights the need for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” (and by corollary institutions outside the US, too).
For as long as I’ve been in the game – and that’s more than two decades – there has been a lot of frustration between security and business leaders trying to communicate effectively and agree on a winning security solution.
Security professionals provide expert advice on the most effective security controls that won’t disrupt business or productivity. However, organisations will too often opt for a ‘best-efforts’ compromise, usually comprising small, often token, security improvements.
The problem with incremental improvements is that they constantly delay other innovative projects. In some cases, it would appear to be more important to give a perception of doing the right thing rather than providing meaningful outcomes.
Not only do half measures fail to provide decent security coverage, but they still cost a fortune and take resources away from revenue-generating activities. Making matters worse, when these half measures do not deliver tangible results, the security community loses credibility with the business community. This is the last thing we need.
The White House memo is a bold example of business leaders, at the highest of levels, taking security seriously by listening to the security experts, and accelerating digital transformation through considerable investment and clear strategic directives.
Only the best security
What is also impressive is how the memo does away with some of the riskiest anti-security placebos out there, such as two-factor authentication with SMS. This is a measure that security folk have been calling out for years for its vulnerability to attacks including porting.
The problem is many organisations don’t realise how ineffective 2FA with SMS is as a security measure. They might think it provides a bit of value, but they’re not actually looking at the exposure it creates.
It is encouraging to see the memo point to widespread implementation of stronger enterprise identity and access controls, specifically pointing to multi-factor authentication.
The memo further states, “the Federal Government can no longer depend on conventional perimeter-based defences to protect critical systems and data.”
It also highlights that VPNs are not the solution to providing safe internet access to applications, and calls for viable monitoring infrastructure, denial of service protections and an enforced access-control policy, instead.
Unfortunately, VPNs can cause more harm than good by providing a mechanism for people anywhere in the world to be inside your network. And once they’re in, they’re 100% ‘trusted’. It’s insane.
This memo is so refreshing in that it specifically calls out security placebos and favours the real security measures that will go a long way in stopping adversaries in the years ahead.
There are many highlights in this memo, but these are my key take-outs.
All in all, this is a first class zero trust strategy that every organisation that cares about protecting their data, employees and customers should take note of.
It has come right from the very top. It has been endorsed by the US President. But, most importantly, it’s clear it hasn’t been devised by President Biden or his aides making their own call about how agencies should address security. They have listened to expert security researchers and practitioners, and signed off on a well-researched and documented best-practice approach. And that’s exactly what every government and business should be doing.
Now is the interesting part to see whether they put those words into action. If they get this right it has the potential to accelerate lagging security approaches worldwide. I’ll be watching with interest to see how this is orchestrated across the US government.