That White House’s Office of Management and Budget (OMB) has released a Federal strategy today to move the U.S. Government toward a “zero trust” approach to cybersecurity. This report has more digestible details. But here’s the key point:
The U.S will adopt a “zero trust” approach, meaning the federal government will assume no actor, system, network, or service operating outside or within the security is trusted, according to a memo from the acting director of the Office of Management and Budget, Shalanda Young.
In a statement, the White House said that the “growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”
Anurag Gurtu, CPO, StrikeReady had this to say:
“As part of any digital transformation, Zero Trust networks should be a key initiative that focuses on securing resources (data, identities, and services), rather than securing physical networks.
By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the Zero Trust model shifts the focus away from varying types of authentication and access controls.
The Zero Trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyberdefenders. Without one of these, an organization’s security will be shaky at best.”
I like the fact that The White House is putting their influence behind this. That will hopefully encourage companies to do the same thing.
UPDATE: I have additional commentary from Lucas Budman, CEO, TruU:
“Securing only endpoints, firewalls, and networks provide little protection against identity and credential-based threats. Users should be authenticated continuously, from the time they try to login to the moment they log out. Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.
It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected. In any case, simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.”
The IT Nerd 
White House OMB Announces “Zero Trust” Strategy
Posted in Commentary with tags Security, White House on January 26, 2022 by itnerdThat White House’s Office of Management and Budget (OMB) has released a Federal strategy today to move the U.S. Government toward a “zero trust” approach to cybersecurity. This report has more digestible details. But here’s the key point:
The U.S will adopt a “zero trust” approach, meaning the federal government will assume no actor, system, network, or service operating outside or within the security is trusted, according to a memo from the acting director of the Office of Management and Budget, Shalanda Young.
In a statement, the White House said that the “growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”
Anurag Gurtu, CPO, StrikeReady had this to say:
“As part of any digital transformation, Zero Trust networks should be a key initiative that focuses on securing resources (data, identities, and services), rather than securing physical networks.
By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the Zero Trust model shifts the focus away from varying types of authentication and access controls.
The Zero Trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyberdefenders. Without one of these, an organization’s security will be shaky at best.”
I like the fact that The White House is putting their influence behind this. That will hopefully encourage companies to do the same thing.
UPDATE: I have additional commentary from Lucas Budman, CEO, TruU:
“Securing only endpoints, firewalls, and networks provide little protection against identity and credential-based threats. Users should be authenticated continuously, from the time they try to login to the moment they log out. Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.
It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected. In any case, simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.”
Leave a comment »