Since the White House released its Executive Order (EO) on Improving the Nation’s Cybersecurity in 2021, federal agencies have begun developing long-term zero trust security architectures across their networks while also adopting near-term goals.
Officials from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and the White House’s Office of the National Cyber Director are reviewing their zero trust architecture plans after OMB directed agencies to adopt zero trust solutions by the end of Fiscal Year 2024, Federal Chief Information Security Officer Chris DeRusha told lawmakers during a May 2022 hearing.
In addition, cybersecurity leaders have publicly stated that agencies have made tremendous strides in adopting a better defensive posture since the release of the executive order, specifically related to managed detection and response, encryption, and multifactor authentication.
But forward momentum should not be conflated with ease of implementation. In this blog, we’ll look at how agencies are putting zero trust in practice, and unpack specific recommendations to simplify the process as much as possible, without cutting corners.
Investing in the Zero Trust Executive Order
Increased funding is accelerating some agencies’ efforts to implement a zero trust architecture and solutions. The U.S. Department of Agriculture (USDA) received $4.4 million from the Technology Modernization Fund (TMF) to invest in a zero trust cybersecurity architecture, given the agency’s role as a shared service provider and a major source of public-facing government services. According to the General Services Administration (GSA), the TMF will help the USDA implement a zero trust policy to secure shared services and sensitive data, and protect websites that connect citizens to vital resources.
The GSA is also transitioning its cybersecurity strategy to a zero trust strategy that aligns with the administration’s EO cybersecurity goals, according to David Shive, chief information officer at the GSA. The GSA has collaborated with officials at CISA, OMB, the National Institute of Standards and Technology (NIST), and the Office of the National Cyber Director to deploy zero trust best practices and share information.
Zero trust is neither a panacea nor a single solution, but it involves investment in a multiyear approach that builds on the cybersecurity principles of least privilege and layered defense, which are readily achievable today thanks to technological advances like automated data access control and data monitoring.
How Agencies are Approaching the Zero Trust Executive Order
Forward-looking agencies are actively incorporating zero trust data security models. In the near future, more agencies will follow suit as an evolving cyber threat landscape and White House mandates prompt agencies to move from implementing static, network-based access controls to focusing on people, their devices, and the resources they’re trying to access — particularly data.
“The last few years have shown traditional approaches to cyber and network defense are no longer commiserate with the threats we face as a government,” Shive said. “We need to raise the security bar, integrating zero trust concepts into everything we do in IT, security, and assurance levels.”
OMB released a follow-up memorandum to the zero trust executive order less than a year after its introduction, shifting the focus of data security architectures by placing an increased emphasis on the data within these systems.
RBAC vs. ABAC: Why Now?
The OMB memo makes a specific recommendation that attribute-based access control (ABAC) be applied to federal zero trust networks. While acknowledging that many government agencies currently utilize RBAC (role-based access control) models, the memo states that a “zero trust architecture should incorporate more granularly and dynamically defined permissions, as [ABAC] is designed to do.”
An ABAC model is a critical part of an effective security architecture. Its security, scalability, and simplicity make it easily optimizable while allowing agencies to implement the “never trust, always verify” principle central to zero trust theory.
Rather than creating stiff and unalterable “roles” on which to base permissions, an ABAC policy assesses a user’s multifaceted attributes at the time of access, as well as the metadata and tags associated with the data itself, to make a more holistic access decision at query runtime. Most importantly, this flexibility does not come at the expense of data policy enforcement – exactly the opposite, in fact. ABAC’s implementation allows for more efficient, less risky, easily auditable policy enforcement across the data domain. Role explosion and policy bloat would obstruct effective access in an RBAC model, but ABAC removes these roadblocks.
By abstracting policy creation from data storage and compute platforms, policy is consistently enforced across an organization or agency. This allows data to be governed securely with ease. Separating policy from platform also strengthens zero trust security because it subjects users to policies no matter where, when, or why they query, and while simultaneously keeping data protected across platforms.
As federal agencies transition to zero trust environments that align with the Cyber EO, a focus on a data-driven approach will yield the best results. ABAC is essential in providing data teams in the public sector with the tools they need to move away from static access controls and keep data secure.
For more on how your agency can transition from RBAC to ABAC and its benefits, download this white paper.
