A year after the White House released its Executive Order (EO) on Improving the Nation’s Cybersecurity, federal agencies are moving to develop a long-term zero trust security architecture across their networks as they adopt more near-term goals.
Officials from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the White House’s Office of the National Cyber Director are reviewing their zero trust architecture plans after OMB directed agencies to adopt zero trust cybersecurity principles by the end of Fiscal Year 2024, Federal Chief Information Security Officer Chris DeRusha told lawmakers during a May 2022 hearing.
In addition, cybersecurity leaders have publicly stated that agencies have made tremendous strides in adopting a better defensive posture since the release of last year’s cyber EO, specifically related to endpoint detection and response, encryption, and multifactor authentication.
Investing in a Shift Toward Zero Trust
Increased funding is accelerating some agencies’ efforts to implement a zero trust architecture and solutions. The U.S. Department of Agriculture (USDA) recently received $4.4 million from the Technology Modernization Fund (TMF) to invest in a zero trust cybersecurity architecture, given the agency’s role as a shared service provider and a major source of public-facing government services. According to the General Services Administration (GSA), the TMF will help the USDA implement a zero trust architecture to secure shared services and sensitive data, and protect websites that connect citizens to vital resources.
The GSA is also transitioning its cybersecurity strategy to a zero trust strategy that aligns with the administration’s EO cybersecurity goals, according to David Shive, chief information officer at the GSA. The GSA has collaborated with officials at CISA, OMB, the National Institute of Standards and Technology (NIST), and the Office of the National Cyber Director to deploy zero trust best practices and share information, Shive told lawmakers at a May subcommittee hearing.
Zero trust is neither a panacea nor a single solution, but it involves investment in a multiyear approach that builds on the cybersecurity principles of least privilege and layered defense, which Shive noted are readily achievable today thanks to advances in technology.
How Agencies are Adopting a Data-Driven Approach
Forward-looking agencies are actively incorporating zero trust into their security models. In the near future, more agencies will follow suit as a dynamically changing threat environment and White House mandates prompt agencies to transition from static network-based access controls to focusing on people, their devices, and the resources they’re trying to access — particularly data.
“The last few years have shown traditional approaches to cyber and network defense are no longer commiserate with the threats we face as a government,” Shive said. “We need to raise the security bar, integrating zero trust concepts into everything we do in IT, security, and assurance levels.”
OMB released a follow-up memorandum to the EO in January 2022, shifting the focus of cybersecurity architectures by placing an increased emphasis on the data within these systems.
RBAC vs. ABAC: Why Now?
The OMB memo makes a specific recommendation that attribute-based access control (ABAC) be applied to federal zero trust networks. While acknowledging that many government agencies currently utilize role-based access control (RBAC) models, the memo states that a “Zero trust architecture should incorporate more granularly and dynamically defined permissions, as [ABAC] is designed to do.”
ABAC is critical for an effective security architecture. Its security, scalability, and simplicity make it easily optimizable while allowing agencies to implement the “never trust, always verify” principle central to zero trust theory.
Rather than creating stiff and unalterable “roles” on which policy and access can be based, ABAC systems assess a user’s multifaceted attributes at the time of access, as well as the metadata and tags associated with the data itself, to make a more holistic access decision at query runtime. Most importantly, this flexibility does not come at the expense of data policy enforcement – exactly the opposite, in fact. ABAC’s implementation allows for more efficient, less risky, easily auditable policy enforcement across the data domain. Role explosion and policy bloat would obstruct effective access in an RBAC model. However, ABAC removes these roadblocks.
By abstracting policy creation from data storage and compute platforms, policy is consistently enforced across an organization. This allows data to be governed securely with ease. Separating policy from platform also strengthens zero trust security because it subjects users to policies no matter where, when, or why they query, and while simultaneously keeping data protected across platforms.
As federal agencies transition to zero trust environments that align with the Cyber EO, a focus on a data-driven approach will yield the best results. ABAC is essential in providing federal data teams with the tools they need to move away from static access controls and keep data secure.